CVE-2025-24366
Published: 07 February 2025
Summary
CVE-2025-24366 is a high-severity OS Command Injection (CWE-78) vulnerability. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 19.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
SFTPGo is an open source file transfer server that supports a limited set of SSH-executed commands, including an optional rsync mode restricted to the local filesystem and disabled by default. CVE-2025-24366 is a command-injection flaw (CWE-78) caused by insufficient sanitization of arguments supplied by clients invoking the rsync command; an authenticated user can therefore supply rsync options that cause the server process to read or write arbitrary files using its own privileges.
An attacker with a valid SFTPGo account reachable over SSH can exploit the issue remotely to access or modify files outside the intended user directories, achieving high confidentiality, integrity, and availability impact despite the high attack complexity reflected in the CVSS 7.5 score.
The project’s security advisory and the fixing commit in version 2.6.5 state that the vulnerability is resolved by validating client-supplied rsync arguments; no workarounds are known and users are advised to upgrade.
EPSS scores have remained low and essentially flat (current 0.0131, peak 0.0136), indicating no observable surge in exploitation interest after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-3680
Vulnerability details
SFTPGo is an open source, event-driven file transfer solution. SFTPGo supports execution of a defined set of commands via SSH. Besides a set of default commands some optional commands can be activated, one of them being `rsync`. It is disabled…
more
in the default configuration and it is limited to the local filesystem, it does not work with cloud/remote storage backends. Due to missing sanitization of the client provided `rsync` command, an authenticated remote user can use some options of the rsync command to read or write files with the permissions of the SFTPGo server process. This issue was fixed in version v2.6.5 by checking the client provided arguments. Users are advised to upgrade. There are no known workarounds for this vulnerability.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
OS command injection (CWE-78) in public-facing SFTPGo SSH/rsync handler allows remote authenticated attackers to execute arbitrary commands and access files via crafted arguments.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly addresses the missing sanitization of client-provided rsync command arguments to prevent OS command injection exploitation.
Requires timely flaw remediation through patching to the fixed version v2.6.5, comprehensively eliminating the vulnerability.
Limits exposure by configuring SFTPGo to disable the optional rsync command unless essential, reducing the attack surface.