CVE-2025-24366 Overview
CVE-2025-24366 is a command injection vulnerability in SFTPGo, an open source, event-driven file transfer solution. The vulnerability exists in the optional rsync command execution feature, which is disabled by default but can be activated by administrators. When enabled, the feature is limited to the local filesystem and does not work with cloud or remote storage backends.
Due to missing sanitization of client-provided rsync command arguments, an authenticated remote user can abuse specific rsync options to read or write arbitrary files with the permissions of the SFTPGo server process. This constitutes a serious security risk as it allows authenticated attackers to potentially access sensitive configuration files, credentials, or modify system files.
Critical Impact
Authenticated attackers can leverage unsanitized rsync command options to perform unauthorized file read/write operations with SFTPGo server process permissions, potentially leading to data exfiltration or system compromise.
Affected Products
- SFTPGo versions prior to v2.6.5
- SFTPGo installations with the optional rsync command enabled
- Systems running SFTPGo with SSH command execution configured
Discovery Timeline
- 2025-02-07 - CVE-2025-24366 published to NVD
- 2025-02-07 - Last updated in NVD database
Technical Details for CVE-2025-24366
Vulnerability Analysis
This vulnerability is classified as CWE-78 (Improper Neutralization of Special Elements used in an OS Command), commonly known as command injection. The flaw resides in the SSH command handling functionality of SFTPGo, specifically within the rsync command processing logic.
SFTPGo supports execution of a defined set of commands via SSH connections. While most commands are enabled by default, certain optional commands like rsync require explicit activation in the configuration. The vulnerability arises because when the rsync command is enabled, the application fails to properly validate and sanitize the command-line arguments provided by authenticated clients.
The rsync utility supports numerous command-line options that can be exploited maliciously. Without proper argument validation, an attacker can craft specific rsync options to achieve arbitrary file read or write operations on the underlying system. This bypasses the intended access controls and allows operations outside the user's designated directory.
Root Cause
The root cause of this vulnerability is insufficient input validation on client-supplied rsync command arguments. The SFTPGo application did not implement a whitelist of allowed rsync options or enforce strict format validation on the command parameters. This oversight allowed authenticated users to pass arbitrary rsync flags that could be leveraged to access files beyond their authorized scope.
The fix implemented in v2.6.5 addresses this by checking the client-provided arguments and enforcing a supported format while limiting the allowed options to a safe subset.
Attack Vector
The attack vector requires network access and valid authentication credentials to the SFTPGo server. An attacker must:
- Authenticate to the SFTPGo server via SSH
- Have access to a configuration where the rsync command is enabled
- Craft malicious rsync command arguments to exploit the lack of sanitization
- Execute file read or write operations with the privileges of the SFTPGo process
The attack complexity is considered high as it requires specific conditions (rsync enabled, valid credentials) to be met before exploitation is possible.
// Security patch snippet from internal/sftpd/ssh_cmd.go
// rsync: enforce a supported format and limit the allowed options
"os/exec"
"path"
"runtime/debug"
+ "slices"
"strings"
"sync"
"time"
Source: GitHub Commit Reference
Detection Methods for CVE-2025-24366
Indicators of Compromise
- Unusual rsync command execution patterns in SFTPGo logs with non-standard options
- Unexpected file access or modification events by the SFTPGo process outside designated user directories
- SSH session logs showing rsync commands with suspicious flag combinations
- File integrity monitoring alerts for sensitive system files accessed by the SFTPGo process
Detection Strategies
- Monitor SFTPGo logs for rsync command executions containing unusual or dangerous options such as --rsh, --config, or path traversal sequences
- Implement file integrity monitoring on sensitive system files and directories accessible to the SFTPGo process
- Deploy network detection rules to identify anomalous SSH traffic patterns to SFTPGo servers
- Review authentication logs for repeated failed attempts followed by successful logins with immediate rsync activity
Monitoring Recommendations
- Enable verbose logging for SSH command execution in SFTPGo configuration
- Configure SIEM alerts for rsync-related events from SFTPGo server processes
- Establish baseline behavior for normal rsync usage patterns and alert on deviations
- Monitor for privilege escalation attempts following rsync command abuse
How to Mitigate CVE-2025-24366
Immediate Actions Required
- Upgrade SFTPGo to version v2.6.5 or later immediately
- If immediate upgrade is not possible, disable the rsync command in SFTPGo configuration
- Audit all SFTPGo configurations to identify instances where rsync is enabled
- Review access logs for any suspicious rsync activity that may indicate prior exploitation
Patch Information
The vulnerability has been fixed in SFTPGo version v2.6.5. The patch implements strict validation of client-provided rsync arguments, enforcing a supported format and limiting the allowed options to prevent abuse. Users are strongly advised to upgrade to this version or later.
For detailed information about the fix, refer to:
Workarounds
- Disable the rsync command in SFTPGo configuration if not required for business operations (this is the default configuration)
- Implement network segmentation to limit SSH access to SFTPGo servers from trusted sources only
- Apply principle of least privilege to the SFTPGo server process user account
- Use host-based intrusion detection to monitor for unauthorized file access patterns
# Configuration example - Disable rsync in SFTPGo
# In sftpgo.json, ensure rsync is not in the enabled_ssh_commands list
# Example configuration snippet:
# "sftpd": {
# "enabled_ssh_commands": ["scp", "md5sum", "sha1sum"]
# }
# Omit "rsync" from the enabled_ssh_commands array to disable this feature
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
