CVE-2025-32102 Overview
CVE-2025-32102 is a Server-Side Request Forgery (SSRF) vulnerability affecting CrushFTP, a managed file transfer server. The flaw exists in CrushFTP versions 9.x, 10.x through 10.8.4, and 11.x through 11.3.1. Authenticated attackers can abuse the host and port parameters in a command=telnetSocket request sent to the /WebInterface/function/ URI. The server processes attacker-controlled connection targets, enabling requests to internal network resources from the CrushFTP server's perspective. The vulnerability is tracked under CWE-918: Server-Side Request Forgery.
Critical Impact
Authenticated attackers can coerce the CrushFTP server into initiating connections to internal hosts and ports, exposing internal services and enabling network reconnaissance from a trusted position.
Affected Products
- CrushFTP 9.x (all versions)
- CrushFTP 10.x through 10.8.4
- CrushFTP 11.x through 11.3.1
Discovery Timeline
- 2025-04-15 - CVE-2025-32102 published to NVD
- 2025-11-03 - Last updated in NVD database
Technical Details for CVE-2025-32102
Vulnerability Analysis
The vulnerability resides in the telnetSocket command exposed through the CrushFTP web interface endpoint at /WebInterface/function/. The handler accepts host and port parameters from the request and uses them to establish an outbound socket connection. Because the destination is not validated against an allowlist, an authenticated user can direct the server to connect to arbitrary hosts, including loopback addresses, internal RFC 1918 ranges, and cloud metadata endpoints.
SSRF in a file transfer server is particularly useful to attackers because CrushFTP often sits in a privileged network position. The server may have routing access to internal management interfaces, databases, and authentication services that external attackers cannot reach directly. The response data returned by telnetSocket may also leak banner information from internal services back to the attacker.
Root Cause
The root cause is missing input validation on the host and port parameters submitted to the telnetSocket function. The application trusts authenticated session input and does not enforce a destination allowlist, deny internal address ranges, or restrict ports to legitimate Telnet usage.
Attack Vector
Exploitation requires authenticated access to the CrushFTP web interface and is performed over the network. An attacker submits a crafted HTTP request to /WebInterface/function/ with command=telnetSocket and attacker-chosen host and port values. The server then initiates the outbound connection on the attacker's behalf. See the Full Disclosure Mailing List Post and Packet Storm File #190460 for technical details on the request structure.
Detection Methods for CVE-2025-32102
Indicators of Compromise
- HTTP requests to /WebInterface/function/ containing the parameter command=telnetSocket from non-administrative accounts.
- Outbound TCP connections from the CrushFTP server process to RFC 1918 private ranges, 127.0.0.1, or cloud metadata IPs such as 169.254.169.254.
- Repeated telnetSocket requests with varying host and port values consistent with internal port scanning.
Detection Strategies
- Inspect CrushFTP access logs for the telnetSocket command and correlate the source user with expected administrative activity.
- Monitor egress traffic from the CrushFTP host using network sensors and flag connections to internal subnets that the application does not legitimately need.
- Apply WAF or reverse proxy rules to flag requests targeting /WebInterface/function/ with externally supplied host or port parameters.
Monitoring Recommendations
- Forward CrushFTP application logs and host-level network telemetry to a centralized SIEM for correlation against authentication events.
- Baseline normal outbound connection patterns from the CrushFTP server and alert on deviations to internal management ports such as 22, 3306, 5432, and 6379.
- Track authentication anomalies on the CrushFTP web interface, since exploitation requires a valid session.
How to Mitigate CVE-2025-32102
Immediate Actions Required
- Upgrade CrushFTP to a version later than 10.8.4 for the 10.x branch or later than 11.3.1 for the 11.x branch.
- Restrict access to the /WebInterface/function/ endpoint to trusted administrative networks via reverse proxy or firewall rules.
- Review CrushFTP user accounts and disable inactive or unnecessary accounts that could be abused for authenticated exploitation.
Patch Information
CrushFTP addressed this issue in releases after 10.8.4 and 11.3.1. Refer to the CrushFTP Official Website for current release notes and download the latest stable build for the affected branch. CrushFTP 9.x is out of mainstream support and customers should migrate to a supported branch.
Workarounds
- Place CrushFTP behind a network egress filter that denies outbound connections to internal subnets, loopback, and cloud metadata endpoints.
- Use a reverse proxy to block or strip requests containing command=telnetSocket until patching is complete.
- Enforce strong authentication and rotate credentials for all CrushFTP users to reduce the likelihood of authenticated abuse.
# Example egress restriction using iptables on the CrushFTP host
# Deny outbound traffic from the CrushFTP service user to internal ranges
iptables -A OUTPUT -m owner --uid-owner crushftp -d 10.0.0.0/8 -j REJECT
iptables -A OUTPUT -m owner --uid-owner crushftp -d 172.16.0.0/12 -j REJECT
iptables -A OUTPUT -m owner --uid-owner crushftp -d 192.168.0.0/16 -j REJECT
iptables -A OUTPUT -m owner --uid-owner crushftp -d 169.254.169.254 -j REJECT
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
