CVE-2025-32103: 
CrushFTP vulnerability analysis and mitigation

CrushFTP versions 9.x, 10.x through 10.8.4, and 11.x through 11.3.1 are affected by a directory traversal vulnerability that allows attackers to read files accessible by SMB at UNC share pathnames. The vulnerability was discovered and disclosed on April 15, 2025, and is tracked as CVE-2025-32103. The vulnerability affects the /WebInterface/function/ URI functionality of the CrushFTP file transfer server (NVD, CVE).

The vulnerability is classified as a Path Traversal vulnerability (CWE-40) specifically involving Windows UNC Share paths. The application's logic fails to adequately filter or restrict network paths when listing directories or files. By injecting a UNC path (e.g., \server\resource) instead of a local path, attackers can bypass SecurityManager restrictions. The vulnerability has been assigned a CVSS v3.1 base score of 5.0 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N (Security Online).

The vulnerability allows attackers to read files accessible via SMB at UNC share pathnames, effectively bypassing the security restrictions implemented by the SecurityManager. This could potentially lead to unauthorized access to sensitive files and directories on connected network shares (Security Online).

Users are strongly advised to update CrushFTP to the latest version that addresses this vulnerability. The update serves as the primary mitigation strategy to protect systems from potential exploitation (Security Online).