Main Vulnerability Database Vulnerabilities #VU118857

#VU118857 Path traversal in CrushFTP - CVE-2025-32103

Published: December 1, 2025

Vulnerability identifier: #VU118857

Vulnerability risk: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/U:Green

CVE-ID: CVE-2025-32103

CWE-ID: CWE-22

Exploitation vector: Remote access

Exploit availability: Public exploit is available

Vulnerable software:
CrushFTP

Software vendor:
CrushFTP

Description

The vulnerability allows a remote user to perform directory traversal attacks.

The vulnerability exists due to insufficient sanitization of user-supplied passed via the /WebInterface/function/ URI to read files accessible by SMB at UNC share pathnames. A remote user can bypass SecurityManager restrictions and read contents of arbitrary files on the system.

Remediation

Install update from vendor's website.

External links

https://seclists.org/fulldisclosure/2025/Apr/17
http://seclists.org/fulldisclosure/2025/Apr/17

#VU118857 Path traversal in CrushFTP - CVE-2025-32103

Description

Remediation

External links

Please verify you're human