CVE-2025-32103 Overview
CVE-2025-32103 is a directory traversal vulnerability affecting CrushFTP versions 9.x, 10.x through 10.8.4, and 11.x through 11.3.1. The vulnerability exists in the /WebInterface/function/ URI endpoint and allows authenticated attackers to read files accessible via SMB at UNC share pathnames, effectively bypassing SecurityManager restrictions implemented by the application.
Critical Impact
Authenticated attackers can leverage this directory traversal flaw to access sensitive files on SMB shares that should be protected by SecurityManager restrictions, potentially exposing confidential data across networked file systems.
Affected Products
- CrushFTP 9.x (all versions)
- CrushFTP 10.x through 10.8.4
- CrushFTP 11.x through 11.3.1
Discovery Timeline
- 2025-04-15 - CVE-2025-32103 published to NVD
- 2025-11-03 - Last updated in NVD database
Technical Details for CVE-2025-32103
Vulnerability Analysis
This directory traversal vulnerability (CWE-22, CWE-40) allows attackers to break out of intended directory restrictions by manipulating file paths through the /WebInterface/function/ URI. The core issue stems from improper path validation when handling Windows UNC (Universal Naming Convention) paths, which enables access to SMB network shares that should be restricted by the application's SecurityManager.
The vulnerability requires network access and low-privilege authentication to exploit. What makes this particularly concerning is its ability to bypass security controls that administrators rely on to restrict file access. By crafting requests with UNC paths, an attacker can traverse beyond the web application's intended file boundaries and read files from configured SMB shares that the CrushFTP server has access to.
Root Cause
The root cause is improper input validation in the /WebInterface/function/ endpoint when processing file path parameters. The application fails to adequately sanitize UNC path sequences (e.g., \\server\share\path), allowing attackers to specify paths to SMB network resources. This bypasses the SecurityManager restrictions that are designed to confine file access to specific directories. The vulnerability is classified under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) and CWE-40 (Path Traversal: '\UNC\share\name' Windows UNC Share).
Attack Vector
The attack is conducted over the network and requires low-privilege authentication to the CrushFTP application. An attacker with valid credentials can send crafted HTTP requests to the /WebInterface/function/ endpoint containing UNC path sequences. These malicious paths allow the attacker to access files on SMB shares that the CrushFTP server can reach, circumventing the intended directory restrictions enforced by SecurityManager.
The exploitation path involves:
- Authenticating to the CrushFTP web interface with any valid user credentials
- Sending requests to the vulnerable /WebInterface/function/ endpoint
- Including UNC path sequences pointing to SMB shares in the request parameters
- Reading file contents from network shares that bypass SecurityManager controls
For detailed technical information about this vulnerability, refer to the Full Disclosure posting and the Packet Storm advisory.
Detection Methods for CVE-2025-32103
Indicators of Compromise
- HTTP requests to /WebInterface/function/ containing UNC path sequences (e.g., \\ or encoded variants)
- Unusual file access patterns in CrushFTP logs showing access to paths outside normal web directories
- Web server logs containing requests with double backslash sequences or SMB share references
- Unexpected network connections from the CrushFTP server to internal SMB shares
Detection Strategies
- Monitor web application logs for requests to /WebInterface/function/ containing path traversal sequences or UNC paths
- Implement web application firewall (WAF) rules to detect and block requests containing \\ sequences or encoded UNC paths
- Enable verbose logging on the CrushFTP server to capture all file access requests and review for anomalies
- Deploy network monitoring to identify unexpected SMB traffic originating from the CrushFTP server
Monitoring Recommendations
- Configure SIEM alerts for path traversal patterns in CrushFTP access logs
- Monitor for authentication events followed by suspicious file access attempts to network shares
- Review CrushFTP security logs regularly for failed SecurityManager restriction bypass attempts
- Implement file integrity monitoring on sensitive SMB shares accessible from the CrushFTP server
How to Mitigate CVE-2025-32103
Immediate Actions Required
- Upgrade CrushFTP to the latest patched version immediately (versions after 10.8.4 for 10.x branch, versions after 11.3.1 for 11.x branch)
- Review access logs for evidence of exploitation attempts targeting the /WebInterface/function/ endpoint
- Restrict network access to the CrushFTP web interface to trusted IP ranges only
- Audit user accounts and remove any unnecessary low-privilege accounts that could be used to exploit this vulnerability
Patch Information
CrushFTP has addressed this vulnerability in versions released after 10.8.4 (for the 10.x branch) and 11.3.1 (for the 11.x branch). Organizations should update to the latest available version to remediate this vulnerability. For the most current patch information and download links, visit the CrushFTP official website.
Workarounds
- If immediate patching is not possible, restrict access to the CrushFTP web interface using firewall rules or network segmentation
- Disable SMB share access from the CrushFTP server if not required for business operations
- Implement additional authentication requirements or IP-based restrictions for accessing the /WebInterface/function/ endpoint
- Deploy a reverse proxy or WAF in front of CrushFTP configured to block requests containing UNC path patterns
If immediate patching is not possible, consider restricting network access to the CrushFTP administration interface and monitoring for suspicious activity. Review the security advisory for additional mitigation guidance.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
