CVE-2025-24366
📋 TL;DR
This vulnerability allows authenticated SFTPGo users to exploit unsanitized rsync command arguments to read or write files with server process permissions. It affects SFTPGo installations where the optional rsync command is enabled. The rsync command is disabled by default but can be activated in configuration.
💻 Affected Systems
- SFTPGo
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Authenticated attacker gains arbitrary file read/write access to the local filesystem with SFTPGo server privileges, potentially leading to data theft, system compromise, or lateral movement.
Likely Case
Authenticated user with rsync access exploits command options to access unauthorized files within the server's accessible filesystem scope.
If Mitigated
With rsync disabled (default) or proper access controls, impact is limited to authorized file operations only.
🎯 Exploit Status
Requires authenticated access and rsync command enabled. Exploitation involves crafting malicious rsync command arguments.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v2.6.5
Vendor Advisory: https://github.com/drakkan/sftpgo/security/advisories/GHSA-vj7w-3m8c-6vpx
Restart Required: No
Instructions:
1. Backup configuration and data. 2. Stop SFTPGo service. 3. Upgrade to v2.6.5 or later. 4. Restart SFTPGo service. 5. Verify version and functionality.
🔧 Temporary Workarounds
Disable rsync command
allEnsure rsync command is disabled in SFTPGo configuration
Check configuration file for 'rsync' command settings and ensure it's disabled or not present
🧯 If You Can't Patch
- Disable rsync command in all SFTPGo configurations immediately
- Restrict SSH access to trusted users only and implement strict access controls
🔍 How to Verify
Check if Vulnerable:
Check SFTPGo version and configuration: if version < 2.6.5 AND rsync command is enabled in config, system is vulnerable.Check Version:
sftpgo versionVerify Fix Applied:
Confirm SFTPGo version is 2.6.5 or later and rsync command arguments are properly sanitized.📡 Detection & Monitoring
Log Indicators:
- Unusual rsync command patterns in SSH logs
- File access outside user's home directory via rsync
Network Indicators:
- SSH sessions with rsync commands containing suspicious options
SIEM Query:
source="sftpgo" AND (rsync AND ("--" OR suspicious_options))