Directory Traversal Vulnerability in CrushFTP Products
CVE-2025-32103

5MEDIUM

Key Information:

Vendor: Crushftp
Status: Crushftp
Vendor: CVE Published:; 15 April 2025

Summary

A directory traversal vulnerability exists in CrushFTP versions 9.x, 10.x (up to 10.8.4), and 11.x (up to 11.3.1) that allows attackers to exploit the /WebInterface/function/ URI. This exploit can enable unauthorized access to files via SMB, leveraging UNC share pathnames and circumventing established SecurityManager restrictions. Such vulnerabilities pose significant risks to sensitive data and system integrity.

Affected Version(s)

CrushFTP 9 <= 10.8.4

CrushFTP 11 <= 11.3.1

References

https://www.crushftp.com/

https://seclists.org/fulldisclosure/2025/Apr/17

https://packetstorm.news/files/id/190460/

CVSS V3.1

Score:

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Timeline

Vulnerability published
Apr 15, 2025
Vulnerability Reserved
Apr 4, 2025