Cyber Resilience

CVE-2025-24366

HighRCE

Published: 07 February 2025

Published
07 February 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0131 80.2th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-24366 is a high-severity OS Command Injection (CWE-78) vulnerability. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 19.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

SFTPGo is an open source file transfer server that supports a limited set of SSH-executed commands, including an optional rsync mode restricted to the local filesystem and disabled by default. CVE-2025-24366 is a command-injection flaw (CWE-78) caused by insufficient sanitization of arguments supplied by clients invoking the rsync command; an authenticated user can therefore supply rsync options that cause the server process to read or write arbitrary files using its own privileges.

An attacker with a valid SFTPGo account reachable over SSH can exploit the issue remotely to access or modify files outside the intended user directories, achieving high confidentiality, integrity, and availability impact despite the high attack complexity reflected in the CVSS 7.5 score.

The project’s security advisory and the fixing commit in version 2.6.5 state that the vulnerability is resolved by validating client-supplied rsync arguments; no workarounds are known and users are advised to upgrade.

EPSS scores have remained low and essentially flat (current 0.0131, peak 0.0136), indicating no observable surge in exploitation interest after disclosure.

EU & UK References

Vulnerability details

SFTPGo is an open source, event-driven file transfer solution. SFTPGo supports execution of a defined set of commands via SSH. Besides a set of default commands some optional commands can be activated, one of them being `rsync`. It is disabled…

more

in the default configuration and it is limited to the local filesystem, it does not work with cloud/remote storage backends. Due to missing sanitization of the client provided `rsync` command, an authenticated remote user can use some options of the rsync command to read or write files with the permissions of the SFTPGo server process. This issue was fixed in version v2.6.5 by checking the client provided arguments. Users are advised to upgrade. There are no known workarounds for this vulnerability.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

OS command injection (CWE-78) in public-facing SFTPGo SSH/rsync handler allows remote authenticated attackers to execute arbitrary commands and access files via crafted arguments.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-42454Shared CWE-78
CVE-2026-34796Shared CWE-78
CVE-2024-57016Shared CWE-78
CVE-2025-50475Shared CWE-78
CVE-2024-57015Shared CWE-78
CVE-2026-36828Shared CWE-78
CVE-2024-57595Shared CWE-78
CVE-2026-25196Shared CWE-78
CVE-2024-50566Shared CWE-78
CVE-2026-23592Shared CWE-78

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly addresses the missing sanitization of client-provided rsync command arguments to prevent OS command injection exploitation.

prevent

Requires timely flaw remediation through patching to the fixed version v2.6.5, comprehensively eliminating the vulnerability.

prevent

Limits exposure by configuring SFTPGo to disable the optional rsync command unless essential, reducing the attack surface.

References