CVE-2025-32102
published 2025-04-15CVE-2025-32102: CrushFTP 9.x and 10.x through 10.8.4 and 11.x through 11.3.1 allows SSRF via the host and port parameters in a command=telnetSocket request to the…
PriorityP278medium5CVSS 3.1
AVNACLPRLUINSCCNILAN
ITWVulnCheck KEV
Exploited in the wild
EPSS
5.74%
92.1th percentile
CrushFTP 9.x and 10.x through 10.8.4 and 11.x through 11.3.1 allows SSRF via the host and port parameters in a command=telnetSocket request to the /WebInterface/function/ URI.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| crushftp | crushftp | 11 – 11.3.1 | — |
| crushftp | crushftp | 9 – 10.8.4 | — |
| crushftp | crushftp | 9.0.0 – 11.3.1 | — |
Detection & IOCsextracted from sources · hover to see the quote
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS CrushFTP telnetSocket Server-Side Request Forgery (CVE-2025-32102)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/WebInterface/function/"; http.request_body; content:"command|3d|telnetSocket"; fast_pattern; content:"host|3d|"; content:"port|3d|"; reference:url,seclists.org/fulldisclosure/2025/Apr/17; reference:cve,2025-32102; classtype:web-application-attack; sid:2061843; rev:1; metadata:affected_product CrushFTP, attack_target Server, tls_state TLSDecrypt, created_at 2025_04_24, cve CVE_2025_32102, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit, updated_at 2025_04_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
- →Look for HTTP POST requests to /WebInterface/function/ with a request body containing 'command=telnetSocket' along with 'host=' and 'port=' parameters — this is the SSRF trigger pattern. ↗
- →The Snort/Suricata rule (SID 2061843) matches on POST method, URI /WebInterface/function/, and body containing command|3d|telnetSocket (URL-encoded 'command=telnetSocket'), host|3d|, and port|3d| simultaneously.
- →Rule is tagged for both Perimeter and Internal deployment, and also SSLDecrypt — meaning the attack may occur over TLS and requires decryption to detect at the body level.
- →MITRE mapping: Initial Access (TA0001) via Exploit Public-Facing Application (T1190) — prioritize detection on internet-exposed CrushFTP instances.
- ·Affected versions are CrushFTP 9.x, 10.x through 10.8.4, and 11.x through 11.3.1 — scope detection to these version ranges. ↗
- ·TLS decryption (SSLDecrypt) is required for the Snort/Suricata body-matching rule to fire when CrushFTP is served over HTTPS.
CVSS provenance
nvdv3.15.0MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N
vulncheck5.0MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-4p7q-hmcp-j657: CrushFTP 9
ghsa_unreviewed·2025-04-15
CVE-2025-32102 [MEDIUM] CWE-918 GHSA-4p7q-hmcp-j657: CrushFTP 9
CrushFTP 9.x and 10.x through 10.8.4 and 11.x through 11.3.1 allows SSRF via the host and port parameters in a command=telnetSocket request to the /WebInterface/function/ URI.
VulnCheck
crushftp CrushFTP Server-Side Request Forgery (SSRF)
vulncheck·2025·CVSS 5.0
CVE-2025-32102 [MEDIUM] crushftp CrushFTP Server-Side Request Forgery (SSRF)
crushftp CrushFTP Server-Side Request Forgery (SSRF)
CrushFTP 9.x and 10.x through 10.8.4 and 11.x through 11.3.1 allows SSRF via the host and port parameters in a command=telnetSocket request to the /WebInterface/function/ URI.
Affected: crushftp CrushFTP
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://api.vulncheck.com/v3/index/sans-dshield?cve=CVE-2025-32102
Suricata
ET WEB_SPECIFIC_APPS CrushFTP telnetSocket Server-Side Request Forgery (CVE-2025-32102)
suricata·2025-04-24·CVSS 5.0
CVE-2025-32102 [MEDIUM] ET WEB_SPECIFIC_APPS CrushFTP telnetSocket Server-Side Request Forgery (CVE-2025-32102)
ET WEB_SPECIFIC_APPS CrushFTP telnetSocket Server-Side Request Forgery (CVE-2025-32102)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS CrushFTP telnetSocket Server-Side Request Forgery (CVE-2025-32102)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/WebInterface/function/"; http.request_body; content:"command|3d|telnetSocket"; fast_pattern; content:"host|3d|"; content:"port|3d|"; reference:url,seclists.org/fulldisclosure/2025/Apr/17; reference:cve,2025-32102; classtype:web-application-attack; sid:2061843; rev:1; metadata:affected_product CrushFTP, attack_target Server, tls_state TLSDecrypt, created_at 2025_04_24, cve CVE_2025_32102, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Maj
No public exploits indexed.
No writeups or analysis indexed.
2025-04-15
Published
Exploited in the wild