CVE-2025-32102

Published Apr 15, 2025

Last updated 4 months ago

CVSS medium 5.0
CrushFTP

Overview

Description
CrushFTP 9.x and 10.x through 10.8.4 and 11.x through 11.3.1 allows SSRF via the host and port parameters in a command=telnetSocket request to the /WebInterface/function/ URI.
Source
cve@mitre.org
NVD status
Modified
Products
crushftp

Risk scores

CVSS 3.1

Type
Secondary
Base score
5
Impact score
1.4
Exploitability score
3.1
Vector string
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N
Severity
MEDIUM

Weaknesses

cve@mitre.org
CWE-918

Social media

Hype score
Not currently trending

  1. 🚨CVE-2025-32102 & CVE-2025-32103: CrushFTP Server-Side Request Forgery (SSRF) and Directory Traversal FOFA Link: https://t.co/mCHjgwtfo0 FOFA Query: app="CrushFTP" Results: 342,867 Disclosure: https://t.co/XLhGxXq545 https://t.co/12LcRaar4Z

    @DarkWebInformer

    31 May 2025

    8252 Impressions

    18 Retweets

    110 Likes

    49 Bookmarks

    1 Reply

    0 Quotes

  2. 🚨 CVE-2025-32102 🟠 MEDIUM (5) 🏢 CrushFTP - CrushFTP 🏗️ 9 🔗 https://t.co/P9dpUXIsuP 🔗 https://t.co/HHGQJWEeoF 🔗 https://t.co/RY2DUOEQNE #CyberCron #VulnAlert #InfoSec https://t.co/zpaFBeQU9W

    @cybercronai

    15 Apr 2025

    22 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  3. CVE-2025-32102 CrushFTP 9.x and 10.x through 10.8.4 and 11.x through 11.3.1 allows SSRF via the host and port parameters in a command=telnetSocket request to the /WebInterface/funct… https://t.co/r4C6coIFuO

    @CVEnew

    15 Apr 2025

    274 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  4. csirt_it: #CrushFTP: disponibile un #PoC per lo sfruttamento delle CVE-2025-32102 e CVE-2025-32103 Rischio: 🟠 Tipologia: 🔸 Remote Code Execution 🔗 https://t.co/I7KHBgVN6i 🔄 Aggiornamenti disponibili 🔄 https://t.co/RTJn8WhGOO

    @Vulcanux_

    15 Apr 2025

    53 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  5. CVE-2025-32102, -32103: Multiple vulns in CrushFTP❗️ Vulns in the popular file transfer web service include Directory Traversal and SSRF. A PoC has also been published. Search at https://t.co/hv7QKSqxTR: 👉 Link: https://t.co/wJUNYoDlsx #cybersecurity #vulnerability_map https:

    @Netlas_io

    15 Apr 2025

    45 Impressions

    1 Retweet

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  6. CrushFTP vulnerabilities (CVE-2025-32102 & 32103) expose servers to SSRF and directory traversal attacks—patch immediately. Details: https://t.co/x4GLurzfx7 #CyberSecurity #Vulnerability

    @adriananglin

    15 Apr 2025

    23 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  7. ⚡️The vulnerability details are now available: https://t.co/TBdJTFenPB 🚨🚨CrushFTP Under Attack! CVE-2025-32102: SSRF alert! Attackers can exploit weak host/port validation to hijack requests. CVE-2025-32103: Directory traversal flaw exposes remote files to unauthorized https:

    @zoomeye_team

    15 Apr 2025

    422 Impressions

    0 Retweets

    7 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  8. 🚨Alert🚨 CVE-2025-32102 & CVE-2025-32103: CrushFTP Hit by SSRF and Directory Traversal Vulnerabilities 🔥PoC:https://t.co/lQtUDLHxUP 📊120K+ Services are found on the https://t.co/ysWb28Crld yearly. 🔗Hunter Link:https://t.co/OpFcAmqXXM 👇Query HUNTER : https://t.co/wiHQ83gy

    @HunterMapping

    15 Apr 2025

    1952 Impressions

    6 Retweets

    24 Likes

    11 Bookmarks

    0 Replies

    0 Quotes

  9. ファイル転送サーバーCrushFTPにおいて、重大な脆弱性CVE-2025-32102およびCVE-2025-32103が発見され、注目が集まっている。 CVE-2025-32102はSSRF脆弱性であり、不正なホストやポート指定により内部ネットワークのスキャンが可能となる。

    @yousukezan

    15 Apr 2025

    1460 Impressions

    2 Retweets

    8 Likes

    2 Bookmarks

    0 Replies

    0 Quotes

  10. The vulnerabilities, identified as CVE-2025-32102 and CVE-2025-32103, expose the server to Server-Side Request Forgery (SSRF) and Directory Traversal attacks, respectively. https://t.co/MELTgujQlm

    @the_yellow_fall

    15 Apr 2025

    450 Impressions

    4 Retweets

    5 Likes

    2 Bookmarks

    0 Replies

    0 Quotes

  11. https://t.co/VZOFZdWzDB [CVE-2025-32102, CVE-2025-32103] SSRF and Directory Traversal in CrushFTP 10.7.1 and 11.1.0 (as well as legacy 9.x)

    @CALIVEDATA

    13 Apr 2025

    15 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

Configurations

Related CVEs

  1. Cross Site Scripting (XSS) vulnerability in CrushFTP 11.3.6_48. The Web-Based Server has a feature where users can share files, the feature reflects the filename to an emailbody field with no sanitations leading to HTML Injection.CVE-2025-63419
  2. CrushFTP11 before 11.3.7_57 is vulnerable to stored HTML injection in the CrushFTP Admin Panel (Reports / "Who Created Folder"), enabling persistent HTML execution in admin sessions.CVE-2025-63420
  3. CrushFTP Unprotected Alternate Channel VulnerabilityCVE-2025-54309
  4. CrushFTP 9.x and 10.x through 10.8.4 and 11.x through 11.3.1 allows directory traversal via the /WebInterface/function/ URI to read files accessible by SMB at UNC share pathnames, bypassing SecurityManager restrictions.CVE-2025-32103
  5. CrushFTP Authentication Bypass VulnerabilityCVE-2025-31161

References

Sources include official advisories and independent security research.