CVE-2025-32102: 
CrushFTP vulnerability analysis and mitigation

CVE-2025-32102 is a Server-Side Request Forgery (SSRF) vulnerability discovered in CrushFTP versions 9.x, 10.x through 10.8.4, and 11.x through 11.3.1. The vulnerability was disclosed on April 15, 2025, affecting the popular file transfer server software (NVD, SecurityOnline).

The vulnerability stems from improper validation of the host and port parameters in telnetSocket requests to the /WebInterface/function/ URI. When a request is made with the command=telnetSocket parameter, the application fails to properly validate these inputs, allowing attackers to perform Server-Side Request Forgery attacks. The vulnerability has been assigned a CVSS v3.1 base score of 5.0 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N (NVD).

The vulnerability allows attackers to conduct port scanning of internal systems by manipulating the host and port parameters. When exploited, the server's response indicates successful connections with "Connected" messages and failed attempts with "Connection refused" responses, potentially exposing internal network information (SecurityOnline).

Users are strongly advised to update their CrushFTP installations to the latest version that addresses this vulnerability. The vendor has released patches to fix the SSRF vulnerability in newer versions (SecurityOnline).