CVE-2026-33642: Critical Zip Slip in Acme File Transfer Server
TL;DR - Acme File Transfer Server
5.0.0 through 5.4.1is vulnerable to unauthenticated Zip Slip writes via/api/v1/import. - Upgrade to5.4.2immediately or disable/restrict the import API. - No CISA KEV listing and no confirmed public PoC in reviewed sources, but exposure is high due to remote, no-auth reachability.
| Field | Value |
|---|---|
| CVE ID | CVE-2026-33642 |
| CVSS score | 9.8 Critical |
| Attack vector | Network (AV:N) |
| Auth required | None (PR:N) |
| Patch status | Fixed in 5.4.2 |
What happened and why it matters
CVE-2026-33642 is a critical Zip Slip vulnerability in Acme File Transfer Server. According to the NVD description, versions before 5.4.2 mishandle archive extraction paths and allow unauthenticated remote attackers to write files outside the intended import directory by uploading crafted ZIP files to /api/v1/import. The vendor advisory narrows the affected range to 5.0.0 through 5.4.1, and those statements align: everything from 5.0.0 up to and including 5.4.1 is affected, while 5.4.2 contains the fix.
For defenders, the important point is not just “path traversal” in the abstract. This bug gives an external attacker a write primitive on the server, constrained by what the Acme File Transfer Server service account can access. That can mean overwriting application files, planting files in predictable locations, corrupting imports, or creating a path toward code execution in some environments if writable locations intersect with executable or interpreted paths. Even where direct code execution is not possible, arbitrary file overwrite is enough to treat this as an urgent internet-facing exposure.
Exploitation status: what is known and what is not
Based on the supplied research material, there is no CISA-confirmed exploitation in the wild at this time. CVE-2026-33642 is not listed in the CISA Known Exploited Vulnerabilities catalog, so there is currently no KEV-backed statement that the bug is being actively exploited. That is useful context for prioritization, but it should not reduce urgency for exposed systems given the no-auth network reachability and high impact.
Also based on the reviewed sources, no public proof-of-concept (PoC) has been confirmed. That is not the same thing as “safe to defer.” Zip Slip bugs are generally straightforward for capable attackers to reproduce from an advisory alone, especially when the vulnerable endpoint and traversal behavior are explicitly described. In the absence of public exploit telemetry, defenders should assume opportunistic scanning and private exploitation are possible, particularly for internet-facing file transfer infrastructure.
Affected versions and exposure conditions
The vendor states that Acme File Transfer Server 5.0.0 through 5.4.1 is affected, and the fix is in 5.4.2. Release notes specifically call out that users on 5.0.x, 5.1.x, 5.2.x, 5.3.x, or 5.4.0/5.4.1 should upgrade immediately. If you are running any of those branches, you should assume exposure unless you have independently disabled or tightly filtered access to the import endpoint.
The exploitation conditions are unusually favorable for attackers. The CVSS vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, which means network-reachable, low complexity, no privileges, and no user interaction. The vendor also explicitly notes that “No authentication is required to reach the vulnerable endpoint in default configurations.” In practice, that means any internet-exposed deployment with /api/v1/import reachable should be prioritized as an emergency patching case. If version data is incomplete in your asset inventory, defenders should assume any unidentified Acme File Transfer Server instance older than 5.4.2 is potentially vulnerable until verified.
Root cause and likely impact
The root cause is a textbook archive extraction validation failure. The server accepted ZIP member names containing traversal sequences such as ../ and ..\ and failed to canonicalize and validate the final extraction path before writing files. In other words, the application trusted paths inside the ZIP archive and did not reliably enforce that extracted files stayed within the configured import workspace.
The impact depends on filesystem permissions and deployment specifics, but the risk is serious even without confirmed code execution. The vendor says an attacker can overwrite application files or place executable content in attacker-chosen locations reachable by the service account. That creates multiple plausible outcomes: service disruption, corruption of imported data, persistence through malicious file placement, or further compromise if written files are later executed, loaded, or processed by the server or adjacent tooling. Because the endpoint is unauthenticated in default configurations, exposed systems should be treated as high-priority targets whether or not active exploitation has yet been confirmed.
Technical Notes
A simplified example of the dangerous ZIP entry pattern looks like this:
../../../../opt/acme/fts/conf/server.conf
..\..\..\..\var\www\html\shell.jsp
../imports/../../tmp/marker.txt
The vulnerable behavior can be described as:
for each zip_entry in uploaded_archive:
destination = import_root + "/" + zip_entry.name
write_file(destination, zip_entry.contents)
A safer pattern, consistent with the vendor’s fix description, is to normalize and verify the resolved path stays inside the extraction root:
for each zip_entry in uploaded_archive:
destination = normalize(join(import_root, zip_entry.name))
if not destination.starts_with(normalize(import_root) + path_separator):
reject(zip_entry)
else:
write_file(destination, zip_entry.contents)
What defenders should do now
First, identify every Acme File Transfer Server instance and confirm version state. Anything running 5.0.0 through 5.4.1 should be treated as vulnerable and queued for immediate upgrade to 5.4.2. If you operate multiple environments, prioritize systems that are internet-exposed, handle third-party uploads, or run with overly broad filesystem permissions. Also verify whether /api/v1/import is exposed by default through reverse proxies, load balancers, or WAF exceptions.
Second, if patching cannot happen immediately, reduce exposure while you prepare maintenance. The vendor-recommended interim steps are to disable the import API endpoint, restrict network access, and inspect logs for anomalous ZIP imports. Those are sensible compensating controls, but they are temporary. Because the flaw is unauthenticated in default configurations, simply leaving the endpoint reachable while planning a future patch window is a poor risk tradeoff for most organizations.
Detection and hunting guidance
Detection before patching can be difficult if the application does not log ZIP member names or extraction paths in detail. Still, there are a few practical places to hunt. Start with HTTP access logs, reverse proxy logs, and application audit logs for POST requests to /api/v1/import, especially from unusual source IPs, high-frequency upload attempts, or requests followed by application errors or unexpected service changes. On patched systems, the new audit event IMPORT_ZIP_REJECTED_PATH_TRAVERSAL is a strong signal of exploitation attempts or security testing.
You should also review filesystem and process context around the Acme service account. Unexpected file creation or modification outside the normal import workspace shortly after calls to /api/v1/import is suspicious. In environments with EDR or file integrity monitoring, hunt for writes into application config directories, web roots, temp locations used by the service, or startup/script paths accessible to the Acme process. If you lack detailed telemetry, assume gaps remain and prioritize containment plus patching over exhaustive retrospective confidence.
Technical Notes
Example access-log pattern to review:
"POST /api/v1/import HTTP/1.1" 200
"POST /api/v1/import HTTP/1.1" 500
"POST /api/v1/import HTTP/1.1" 400
Example grep-based triage on Linux for application and proxy logs:
grep -R "/api/v1/import" /var/log/nginx/ /var/log/httpd/ /opt/acme/fts/logs/ 2>/dev/null
grep -R "IMPORT_ZIP_REJECTED_PATH_TRAVERSAL" /opt/acme/fts/logs/ 2>/dev/null
Example Splunk query:
(index=web OR index=app)
("/api/v1/import" OR "IMPORT_ZIP_REJECTED_PATH_TRAVERSAL")
| stats count min(_time) as first_seen max(_time) as last_seen by src_ip, host, uri_path, status
| sort - count
Example Sigma-style detection concept for web logs:
title: Acme FTS Import Endpoint Access
logsource:
category: webserver
detection:
selection:
cs-method: POST
cs-uri-stem: /api/v1/import
condition: selection
level: medium
If you do not have logs that expose ZIP internals, defenders should assume failed uploads and repeated import attempts may still indicate probing. The absence of explicit traversal strings in logs is not proof of non-exploitation.
Mitigation and patching
The authoritative fix is to upgrade to Acme File Transfer Server 5.4.2 or later. The release notes say 5.4.2 adds path normalization, rejects entries that resolve outside the configured import workspace, adds a server-side allowlist for permitted extracted file types, and introduces the audit event IMPORT_ZIP_REJECTED_PATH_TRAVERSAL. That means the patch does more than block one string pattern; it improves extraction safety and observability.
If you cannot upgrade immediately, the documented workaround is to disable the import API endpoint and restrict network access to trusted administrative sources only. Because the research note does not include a vendor-specific configuration knob for disabling /api/v1/import, do not guess at undocumented directives. Instead, defenders should use known control points they already manage, such as reverse proxy rules, WAF policies, ingress controllers, or firewall ACLs, and validate that the endpoint is no longer reachable from untrusted networks.
Technical Notes
If you deploy via container image or package automation, the exact upgrade command depends on your installation method. The sources confirm the fixed version 5.4.2, but they do not document a canonical one-line vendor installer command. In the absence of vendor-published upgrade syntax in the provided material, defenders should use their established package or deployment workflow and verify the installed version afterward.
Example container-based upgrade pattern:
docker pull acme/fts:5.4.2
docker stop acme-fts
docker rm acme-fts
docker run -d --name acme-fts -p 443:443 acme/fts:5.4.2
Example Kubernetes image update:
kubectl set image deployment/acme-fts acme-fts=acme/fts:5.4.2
kubectl rollout status deployment/acme-fts
Example reverse proxy workaround to block the vulnerable endpoint until patching is complete:
location = /api/v1/import {
deny all;
return 403;
}
Example verification steps after mitigation:
curl -i -X POST https://fts.example.com/api/v1/import
# Expect 403/404 if endpoint is intentionally blocked
grep -R "IMPORT_ZIP_REJECTED_PATH_TRAVERSAL" /opt/acme/fts/logs/ 2>/dev/null
If you do not know how your instance was installed, treat that as an operational risk indicator. Identify the deployment path first, then patch, rather than improvising commands on production systems.
References
The primary facts in this write-up come from the NVD record, the vendor advisory, the v5.4.2 release notes, and the linked GitHub tracking issue. Those sources consistently state that Acme File Transfer Server 5.0.0 through 5.4.1 is vulnerable, that the flaw affects /api/v1/import, and that 5.4.2 is the fixed version.
For practitioners, the most useful references are the vendor advisory for version scoping and mitigations, and the release notes for fix behavior and new logging. Because public exploitation and PoC status remain unconfirmed in the provided material, continue monitoring the vendor advisory, NVD updates, and trusted threat intelligence feeds for any change in exploitation status.
- Vendor advisory:
https://vendor.example.com/security/advisories/AFS-2026-04 - Release notes:
https://github.com/acme/fts/releases/tag/v5.4.2 - Tracking issue:
https://github.com/acme/fts/issues/1842 - NVD record: NVD entry for
CVE-2026-33642
For more information on security vulnerabilities, check our glossary of WPA2 or learn about dependency confusion.
This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.