VDB
CVE-2025-32103
CVE-2025-32103
PUBLISHED
CVSS 5 MEDIUM
CrushFTP 9.x and 10.x through 10.8.4 and 11.x through 11.3.1 allows directory traversal via the /WebInterface/function/ URI to read files accessible by SMB at UNC share pathnames, bypassing SecurityManager restrictions.
EPSS 0.39% · 60.4th percentile
Risk Scores
CVSS v3.1
5
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N
EPSS Score
0.39%
60.4th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| CrushFTP | CrushFTP | 9, 11 |
| crushftp | crushftp | 9, 9.0.0, 11 |
Timeline
- Apr 13, 2025 PoC Published
- Apr 13, 2025 PoC Published
- Apr 13, 2025 PoC Published
- Apr 13, 2025 PoC Published
- Apr 14, 2025 PoC Published
- Apr 15, 2025 CVE Published
- Apr 15, 2025 PoC Published
- Apr 15, 2025 PoC Published
- Apr 16, 2025 EPSS Score
- Apr 16, 2025 PoC Published
- Apr 16, 2025 PoC Published
- Apr 24, 2025 PoC Published
References
- https://www.crushftp.com/ url
- https://seclists.org/fulldisclosure/2025/Apr/17 url
- https://packetstorm.news/files/id/190460/ url
- http://seclists.org/fulldisclosure/2025/Apr/17 url
- https://nvd.nist.gov/vuln/detail/CVE-2025-32103 advisory
- https://packetstorm.news/files/id/190460 url
- https://www.crushftp.com url