What is the CVSS score of CVE-2025-66945?

CVE-2025-66945 has a CVSS 3.1 base score of 9.1 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N. EPSS exploitation probability: 0.1%.

Which versions of Zdir are affected by CVE-2025-66945?

A critical vulnerability in Zdir Pro 4.x allows attackers to write files outside intended directories through a path traversal exploit, potentially leading to complete system compromise.

Is there a public PoC exploit available for CVE-2025-66945?

Yes, a public proof-of-concept exploit is available for CVE-2025-66945. Prioritise patching immediately. EPSS: 0.1%.

How to fix or mitigate CVE-2025-66945?

Within 24 hours: Disable the /api/extract endpoint or restrict access to trusted users only; identify all instances of Zdir Pro 4.x in your environment. Within 7 days: Implement WAF rules to block malicious ZIP payloads; segment affected systems from critical infrastructure; monitor for exploitation attempts in logs. Within 30 days: Evaluate alternative file extraction solutions; plan migration path away from Zdir Pro 4.x; establish incident response procedures for potential compromise.

Zdir CVE-2025-66945

CRITICAL

Out-of-bounds Write (CWE-787)

2026-03-03 cve@mitre.org

RCE Path Traversal Zdir

9.1

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

None

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 22:05 vuln.today

PoC Detected

Mar 04, 2026 - 17:50 vuln.today

Public exploit code

CVE Published

Mar 03, 2026 - 20:16 nvd

CRITICAL 9.1

DescriptionNVD

A path traversal vulnerability exists in the ZIP extraction API of Zdir Pro 4.x. When a crafted ZIP archive is processed by the backend at /api/extract, files may be written outside the intended directory, leading to arbitrary file overwrite and potentially remote code execution

AnalysisAI

Zip slip to arbitrary file write in Zdir Pro 4.x ZIP extraction API. PoC available.

Technical ContextAI

CWE-787 path traversal in ZIP extraction.

RemediationAI

Apply patch.

CVE-2025-66945 vulnerability details – vuln.today

Back

Zdir CVE-2025-66945

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Technical ContextAI

RemediationAI

Share

External POC / Exploit Code