Login Sign Up

CVE-2025-32103

5.0 MEDIUM
Authentication Bypass

📋 TL;DR

CVE-2025-32103 is a directory traversal vulnerability in CrushFTP that allows attackers to bypass SecurityManager restrictions and read files accessible via SMB UNC share paths. This affects CrushFTP 9.x, 10.x through 10.8.4, and 11.x through 11.3.1. Attackers can exploit this through the /WebInterface/function/ URI to access sensitive files on network shares.

💻 Affected Systems

Products:
  • CrushFTP
Versions: 9.x, 10.x through 10.8.4, 11.x through 11.3.1
Operating Systems: All platforms running CrushFTP
Default Config Vulnerable: ⚠️ Yes
Notes: Requires WebInterface to be enabled and accessible. The vulnerability bypasses SecurityManager restrictions specifically for UNC paths.

📦 What is this software?

Crushftp by Crushftp

View all CVEs affecting Crushftp →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could read sensitive files from SMB shares including credentials, configuration files, or proprietary data, potentially leading to lateral movement or data exfiltration.

🟠

Likely Case

Unauthorized reading of files accessible via UNC paths that the CrushFTP server can reach, potentially exposing internal network resources.

🟢

If Mitigated

Limited to reading only files that the CrushFTP service account has permission to access on SMB shares.

🌐 Internet-Facing: MEDIUM - Exploitable remotely if WebInterface is exposed, but requires knowledge of UNC paths and accessible SMB shares.
🏢 Internal Only: MEDIUM - Internal attackers could leverage this to access files on network shares accessible to the CrushFTP server.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Proof of concept details available in public disclosures. Exploitation requires crafting requests to the vulnerable URI with UNC paths.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 10.8.5 and 11.3.2

Vendor Advisory: https://www.crushftp.com/

Restart Required: Yes

Instructions:

1. Download latest version from CrushFTP website. 2. Backup current installation. 3. Install update following vendor instructions. 4. Restart CrushFTP service.

🔧 Temporary Workarounds

Disable WebInterface

all

Temporarily disable the WebInterface component if not required

Edit CrushFTP configuration to disable WebInterface or block access to /WebInterface/ path

Network Segmentation

all

Restrict CrushFTP server's access to SMB shares

Configure firewall rules to block SMB (TCP 445) outbound from CrushFTP server

🧯 If You Can't Patch

  • Implement strict network segmentation to isolate CrushFTP server from SMB shares
  • Deploy WAF rules to block requests containing UNC paths (\\ patterns) to /WebInterface/function/

🔍 How to Verify

Check if Vulnerable:

Check if CrushFTP version is within affected ranges and WebInterface is accessible

Check Version:

Check CrushFTP admin interface or server logs for version information

Verify Fix Applied:

Verify version is 10.8.5+ or 11.3.2+ and test that UNC path traversal attempts are blocked

📡 Detection & Monitoring

Log Indicators:

  • HTTP requests to /WebInterface/function/ containing UNC paths (\\ patterns)
  • File access attempts via SMB from CrushFTP server

Network Indicators:

  • Outbound SMB connections from CrushFTP server following WebInterface requests

SIEM Query:

web.url:*WebInterface/function* AND (web.url:*\\\\* OR web.url:*%5c%5c*)

📊 Metadata

CVE ID: CVE-2025-32103
CVSS v3 Score: 5.0 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N
CWE: CWE-40
EPSS Score: 1.59% exploit probability (81.3th percentile)
Published: April 15, 2025
Last Updated: November 3, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON