CVE-2025-32103

Name of the Vulnerable Software and Affected Versions CrushFTP versions 9.x through 11.3.1

Description The issue allows directory traversal via the "/WebInterface/function/" URI to read files accessible by SMB at UNC share pathnames, bypassing SecurityManager restrictions. This can enable unauthorized access to arbitrary directories and files by sending a specially crafted POST request.

Recommendations For CrushFTP versions 9.x through 10.8.4 and 11.x through 11.3.1, consider disabling the "/WebInterface/function/" URI as a temporary workaround until a patch is available. Restrict access to the vulnerable module to minimize the risk of exploitation. Avoid using the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.