SFTPGo Vulnerability Identified: CVE-2025-24366

SFTPGo is an open-source SFTP provider that supports multiple server protocols, including SFTP, HTTP/S, and FTP/S, while integrating with various backend storage solutions such as Azure, Amazon S3, and encrypted local file systems.

Since becoming publicly available for the community on GitHub in 2019, SFTPGo has grown into a thriving open-source project with over 60 contributors, multiple sponsors, and dynamic SaaS plans designed to scale with enterprise environments.

What sets SFTPGo apart from other open-source projects is its active engagement with the IT and cybersecurity community. Reviews and online discussions highlight how SFTPGo incorporates user feedback into its development roadmap, ensuring that the platform evolves to meet modern security and compliance demands. Such as their future release to be HIPAA compliant.

Discovery of CVE-2025-24366

On February 7th, 2025, NIST published CVE-2025-24366 to their public database. According to the common Vulnerability Scoring System (CVSS) scale, this vulnerability was scored to be a 7.5, thus making it a high vulnerability. This is due to the scale's rating stating for it to have high-confidence in impacts to SFTPGo's data confidentiality, integrity, and availability of its service.

There are no factual evidence as to how the vulnerability was discovered, but based on the lack of breach and news articles around this vulnerability, it can be assumed a person reported the security bug through SFTPGo's Security Team.

About The Vulnerability

Since SFTPGo offers compatibility with both cloud and local storage instances, the rsync command is disabled by default when deploying SFTPGo.

The rsync command is intended for use with files stored on the same local computer. Importantly, the logged-in user does not need to be the same user that the SFTPGo server is running as to be able to access data.

The vulnerability arises from the fact that any authenticated remote user (a user who has logged into the system with SFTPGo) can use rsync to perform actions with the same permissions as the SFTPGo server process.

This introduces a high security risk because it allows any authenticated user (not just the user running the SFTPGo server) to perform actions that could read, write, or delete files with the server’s elevated permissions.

As long as a user has access to rsync through SFTPGo, they could potentially manipulate files within the permissions granted to the SFTPGo server, regardless of whether they are the same user or a different user on the system.

If this feature is exploited maliciously or a user's account is compromised, it could allow a threat actor to manipulate, delete, or create files without proper permission management, potentially compromising the integrity and confidentiality of the data.

Vulnerability Remediation

According to recent version updates, version 2.6.5 of SFTPGo does remediated this vulnerability. From the version updates, admins on SFTPGo's GitHub did publish test code that does display the rsync command to verify and validate client provided arguments.

If you are a customer and user of SFTPGo, it is highly encourage to patch and update to the newer version of this application.