CVE-2025-32103

Summary

CrushFTP 9.x and 10.x through 10.8.4 and 11.x through 11.3.1 allows directory traversal via the /WebInterface/function/ URI to read files accessible by SMB at UNC share pathnames, bypassing SecurityManager restrictions.

Affected Software

VendorProductVersion RangeStatus
CrushFTPCrushFTP9 <= 10.8.4affected
CrushFTPCrushFTP11 <= 11.3.1affected

Weaknesses

  • CWE-40: CWE-40 Path Traversal: '\UNC\share\name&#39; (Windows UNC Share)

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: no
    • Technical Impact: partial

Additional References

CVE Program Container

Additional References

References