CVE-2025-32103
MEDIUMCrushFTP 9.0.0-10.8.4 and 11.0.0-11.3.1 - Path Traversal via WebInterface Function URI
Title source: llmDescription
CrushFTP 9.x and 10.x through 10.8.4 and 11.x through 11.3.1 allows directory traversal via the /WebInterface/function/ URI to read files accessible by SMB at UNC share pathnames, bypassing SecurityManager restrictions.
References (4)
Core 4
Core References
Exploit, Third Party Advisory, VDB Entry
https://packetstorm.news/files/id/190460/
Exploit, Mailing List, Third Party Advisory
https://seclists.org/fulldisclosure/2025/Apr/17
Product
https://www.crushftp.com/
Mailing List
http://seclists.org/fulldisclosure/2025/Apr/17
Scores
CVSS v3
5.0
EPSS
0.1222
EPSS Percentile
95.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-22
CWE-40
Status
published
Products (1)
crushftp/crushftp
9.0.0 - 11.3.1
Published
Apr 15, 2025
Tracked Since
Feb 18, 2026