CrushFTP Hit by SSRF and Directory Traversal Vulnerabilities (CVE-2025-32102 & CVE-2025-32103)

CrushFTP, a popular file transfer server, is facing increased scrutiny following the discovery of two significant security vulnerabilities. The vulnerabilities, identified as CVE-2025-32102 and CVE-2025-32103, expose the server to Server-Side Request Forgery (SSRF) and Directory Traversal attacks, respectively.

CVE-2025-32102: Server-Side Request Forgery (SSRF)

The first vulnerability, CVE-2025-32102, affects CrushFTP versions 9.x, 10.x up to 10.8.4, and 11.x up to 11.3.1. It stems from how the application handles telnetSocket requests.

Specifically, the host and port parameters within these requests are not properly validated, allowing attackers to potentially conduct Server-Side Request Forgery (SSRF) attacks.

An attacker can exploit this by manipulating the host and port parameters to scan remote ports. The server’s response differs based on the connection attempt’s success: “Connected” indicates a successful connection, while “Connection refused” signifies a failure.

Proof-of-Concept Example:

POST /WebInterface/function/
command=telnetSocket&sub_command=connect&host=127.0.0.1&port=8080

CVE-2025-32103: Directory Traversal

The second vulnerability, CVE-2025-32103, also impacts CrushFTP versions 9.x, 10.x up to 10.8.4, and 11.x up to 11.3.1. This vulnerability allows for directory traversal via the /WebInterface/function/ URI.

Attackers can exploit this to read files accessible by SMB at UNC share pathnames, effectively bypassing Security Manager restrictions.

The application’s logic fails to adequately filter or restrict network paths when listing directories or files. By injecting a UNC path (e.g., \\server\resource) instead of a local path (e.g., C:/PATH), an attacker can gain unauthorized access to remote directories and files. This vulnerability is described as a form of Path Traversal that specifically involves the mishandling of network paths.

Proof-of-Concept Example:

POST /WebInterface/function/
command=getAdminXMLListing&file_mode=server&format=JSON&path=\\\\vboxsrv\\demo

Mitigation

The solution for both CVE-2025-32102 and CVE-2025-32103 is to update CrushFTP to the latest version. Users are strongly advised to apply the update as soon as possible to protect their systems from potential exploitation.

Related Posts:

• CVE-2025-2825: Critical Vulnerability in CrushFTP Exposes Servers to Unauthenticated Access Risk
• CrushFTP Hacked: Exploit CVE-2025-2825 with PoC and Nuclei Template
• CISA Added Critical Vulnerabilities in Cisco Products and CrushFTP to KEV
• CrushFTP Unauthenticated RCE Zero-Day Vulnerability
• CVE-2024-53552 (CVSS 9.8): CrushFTP Flaw Exposes Users to Account Takeover