How to fix CVE-2025-54792?

Within 24 hours: Identify all affected systems and apply vendor patches immediately. Vendor patch is available.

Is Localsend affected by CVE-2025-54792?

Organizations using LocalSend face critical risk from CVE-2025-54792 rated CVSS 9.3. Successful exploitation could critically impact the confidentiality, integrity, and availability of affected systems. Proof-of-concept code is publicly available, increasing the risk of exploitation.

CVE-2025-54792

CRITICAL

2025-08-01 [email protected]

9.3

CVSS 4.0

CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Adjacent

Attack Complexity

Low

Privileges Required

None

User Interaction

Scope

Lifecycle Timeline

Analysis Generated

Mar 28, 2026 - 19:04 vuln.today

Patch Released

Mar 28, 2026 - 19:04 nvd

Patch available

PoC Detected

Sep 03, 2025 - 14:12 vuln.today

Public exploit code

CVE Published

Aug 01, 2025 - 23:15 nvd

CRITICAL 9.3

Description

LocalSend is an open-source app to securely share files and messages with nearby devices over local networks without needing an internet connection. In versions 1.16.1 and below, a critical Man-in-the-Middle (MitM) vulnerability in the software's discovery protocol allows an unauthenticated attacker on the same local network to impersonate legitimate devices, silently intercepting, reading, and modifying any file transfer. This can be used to steal sensitive data or inject malware, like ransomware, into files shared between trusted users. The attack is hardly detectable and easy to implement, posing a severe and immediate security risk. This issue was fixed in version 1.17.0.

Analysis

LocalSend is an open-source app to securely share files and messages with nearby devices over local networks without needing an internet connection. Rated critical severity (CVSS 9.3), this vulnerability is no authentication required, low attack complexity. Public exploit code available.

Technical Context

This vulnerability is classified under CWE-300. LocalSend is an open-source app to securely share files and messages with nearby devices over local networks without needing an internet connection. In versions 1.16.1 and below, a critical Man-in-the-Middle (MitM) vulnerability in the software's discovery protocol allows an unauthenticated attacker on the same local network to impersonate legitimate devices, silently intercepting, reading, and modifying any file transfer. This can be used to steal sensitive data or inject malware, like ransomware, into files shared between trusted users. The attack is hardly detectable and easy to implement, posing a severe and immediate security risk. This issue was fixed in version 1.17.0. Affected products include: Localsend. Version information: version 1.17.0..

Affected Products

Localsend.

Remediation

A vendor patch is available. Apply the latest security update as soon as possible. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.0

CVSS: +46

POC: +20

CVE-2025-54792 vulnerability details – vuln.today

Back

CVE-2025-54792

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

CVE-2025-54792

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

External POC / Exploit Code