cbcvebase.
CVE-2025-32102
published 2025-04-15

CVE-2025-32102: CrushFTP 9.x and 10.x through 10.8.4 and 11.x through 11.3.1 allows SSRF via the host and port parameters in a command=telnetSocket request to the…

PriorityP278medium5CVSS 3.1
AVNACLPRLUINSCCNILAN
ITWVulnCheck KEV
Exploited in the wild
EPSS
5.74%
92.1th percentile
CrushFTP 9.x and 10.x through 10.8.4 and 11.x through 11.3.1 allows SSRF via the host and port parameters in a command=telnetSocket request to the /WebInterface/function/ URI.

Affected

3 ranges
VendorProductVersion rangeFixed in
crushftpcrushftp11 – 11.3.1
crushftpcrushftp9 – 10.8.4
crushftpcrushftp9.0.0 – 11.3.1

Detection & IOCsextracted from sources · hover to see the quote

url/WebInterface/function/
commandcommand=telnetSocket
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS CrushFTP telnetSocket Server-Side Request Forgery (CVE-2025-32102)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/WebInterface/function/"; http.request_body; content:"command|3d|telnetSocket"; fast_pattern; content:"host|3d|"; content:"port|3d|"; reference:url,seclists.org/fulldisclosure/2025/Apr/17; reference:cve,2025-32102; classtype:web-application-attack; sid:2061843; rev:1; metadata:affected_product CrushFTP, attack_target Server, tls_state TLSDecrypt, created_at 2025_04_24, cve CVE_2025_32102, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit, updated_at 2025_04_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
  • Look for HTTP POST requests to /WebInterface/function/ with a request body containing 'command=telnetSocket' along with 'host=' and 'port=' parameters — this is the SSRF trigger pattern.
  • The Snort/Suricata rule (SID 2061843) matches on POST method, URI /WebInterface/function/, and body containing command|3d|telnetSocket (URL-encoded 'command=telnetSocket'), host|3d|, and port|3d| simultaneously.
  • Rule is tagged for both Perimeter and Internal deployment, and also SSLDecrypt — meaning the attack may occur over TLS and requires decryption to detect at the body level.
  • MITRE mapping: Initial Access (TA0001) via Exploit Public-Facing Application (T1190) — prioritize detection on internet-exposed CrushFTP instances.
  • ·Affected versions are CrushFTP 9.x, 10.x through 10.8.4, and 11.x through 11.3.1 — scope detection to these version ranges.
  • ·TLS decryption (SSLDecrypt) is required for the Snort/Suricata body-matching rule to fire when CrushFTP is served over HTTPS.

CVSS provenance

nvdv3.15.0MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N
vulncheck5.0MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.