CVE-2025-32102 is a Server-Side Request Forgery (SSRF) vulnerability identified in CrushFTP versions 9.x, 10.x up to 10.8.4, and 11.x up to 11.3.1. CrushFTP is a file transfer server software widely used for secure file sharing and management. The vulnerability arises from improper validation of user-supplied input in the 'host' and 'port' parameters within the 'command=telnetSocket' request sent to the /WebInterface/function/ URI endpoint. An attacker can exploit this flaw by crafting a specially designed request that causes the server to initiate arbitrary connections to internal or external network resources. SSRF vulnerabilities like this allow attackers to bypass network access controls, potentially accessing internal services that are not directly exposed to the internet. This can lead to unauthorized information disclosure, internal network reconnaissance, and potentially further exploitation if internal services are vulnerable. The vulnerability does not require authentication or user interaction, increasing its risk profile. Although no known exploits are currently reported in the wild, the presence of this SSRF in a widely deployed file transfer server makes it a significant concern. The lack of an available patch at the time of disclosure further elevates the risk for organizations relying on affected versions of CrushFTP. Given the nature of SSRF, attackers could leverage this vulnerability to pivot within a network, access metadata services, or interact with sensitive internal APIs, depending on the network architecture and deployed services.

For European organizations, the impact of this SSRF vulnerability can be substantial. CrushFTP is often used in enterprise environments for secure file transfer, including in sectors such as finance, healthcare, manufacturing, and government. Exploitation could lead to unauthorized access to internal network resources, exposing sensitive data or enabling lateral movement within corporate networks. This is particularly critical for organizations with segmented networks relying on CrushFTP as a gateway or intermediary. The vulnerability could also be used to access internal cloud metadata services or administrative interfaces, potentially leading to credential theft or further compromise. Given the medium severity rating but the absence of authentication requirements, the risk is amplified in environments where CrushFTP servers are internet-facing. Disruption of file transfer services or data leakage could impact business continuity and regulatory compliance, especially under stringent European data protection laws such as GDPR. Additionally, the ability to perform SSRF attacks could facilitate espionage or sabotage in strategic sectors, increasing the threat level for critical infrastructure and governmental entities within Europe.

To mitigate this vulnerability, European organizations should immediately identify and inventory all CrushFTP instances, focusing on versions 9.x, 10.x up to 10.8.4, and 11.x up to 11.3.1. Since no official patches are currently available, organizations should implement network-level controls to restrict outbound connections from CrushFTP servers, limiting them to only necessary destinations and ports. Employing strict egress filtering and firewall rules can prevent SSRF exploitation from reaching internal or sensitive services. Additionally, organizations should disable or restrict the 'command=telnetSocket' functionality if it is not required for business operations. Monitoring and logging of requests to the /WebInterface/function/ endpoint should be enhanced to detect anomalous or suspicious usage patterns indicative of SSRF attempts. Deploying Web Application Firewalls (WAFs) with custom rules to block requests containing suspicious host and port parameters can provide an additional layer of defense. Finally, organizations should prepare for rapid patch deployment once an official fix is released and consider isolating CrushFTP servers within segmented network zones to minimize potential lateral movement.