You are currently viewing CrushFTP Security Alert: Actively Exploited Authentication Bypass Vulnerability! Patch Now!

CrushFTP Security Alert: Actively Exploited Authentication Bypass Vulnerability! Patch Now!

  • Post author:
  • Reading time:12 mins read

CrushFTP users beware!! A severe authentication bypass vulnerability is exploited, endangering sensitive data and entire systems. This security flaw grants unauthorized access to CrushFTP servers, requiring urgent attention and immediate action. If you depend on CrushFTP for file transfers, recognizing the gravity of this issue and quickly securing your system is essential.

What is CrushFTP?

CrushFTP is a robust, multi-protocol, multi-platform enterprise file transfer server solution. It’s designed to handle secure file transfers using FTP, FTPS (FTP over SSL/TLS), SFTP (SSH File Transfer Protocol), HTTP, HTTPS, and WebDAV. Businesses rely on CrushFTP to automate secure data exchange, manage user access, and integrate file transfers into workflows, often handling sensitive corporate data. Its feature-rich nature includes extensive administration capabilities, event management, and support for various backend storage options.

Context: AWS S3 Authentication Handling

Modern file transfer solutions like CrushFTP often integrate with cloud storage providers, including Amazon Web Services (AWS) Simple Storage Service (S3). To interact securely with S3 buckets, applications must authenticate using AWS credentials, typically involving an Access Key ID and a Secret Access Key. AWS uses a sophisticated signature mechanism (like Signature Version 4 or SigV4) where requests are cryptographically signed using the secret key. The server (in this case, potentially CrushFTP acting as a gateway or interacting with S3) validates this signature to ensure the request’s authenticity and integrity. It’s within CrushFTP’s handling of these S3-related authentication headers that the vulnerability CVE-2025-2825 resides.

The Vulnerability: CVE-2025-2825

A critical security flaw, tracked as CVE-2025-2825, has been identified within this AWS S3 authentication handling mechanism in CrushFTP. This vulnerability permits a remote, unauthenticated attacker to circumvent the server’s standard authentication controls, potentially gaining full administrative access. Affecting specific builds within CrushFTP versions 10 and 11, the vulnerability carries a CVSS 3.1 base score of 9.8 (Critical). The situation is further exacerbated by the public release of Proof-of-Concept (PoC) exploit code and confirmed reports of active exploitation in the wild, demanding immediate attention from administrators.

Vulnerability Details

  • CVE ID: CVE-2025-2825
  • Description: An authentication bypass vulnerability exists in CrushFTP, enabling unauthenticated attackers to gain access via specially constructed HTTP(S) requests designed to mimic S3 authentication.
  • Root Cause: The core issue lies in the faulty handling of S3 authentication headers. When CrushFTP processes such headers, a configuration setting lookup_user_pass defaults to ‘true’ if the provided Access Key ID (interpreted as the username in this flow) does not contain a tilde character (~). This specific condition incorrectly bypasses the purported user’s expected signature validation or password verification processes, leading to unauthorized access.
  • Attack Vector: Network (AV:N)
  • Attack Complexity: Low (AC:L)
  • Privileges Required: None (PR:N)
  • User Interaction: None (UI:N)
  • Scope: Unchanged (S:U)
  • Confidentiality Impact: High (C:H)
  • Integrity Impact: High (I:H)
  • Availability Impact: High (A:H)
  • CVSS 3.1 Score: 9.8 (Critical)
  • CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Proof-of-Concept (PoC)

 Attackers are using exploits based on publicly available proof-of-concept exploit code for CVE-2025-2825. Here’s a breakdown of how it works:

  1. Target Identification: The attacker identifies a potentially vulnerable CrushFTP instance accessible over HTTP or HTTPS.
  2. Crafting the Malicious Request: The core of the PoC is a specially constructed HTTP request. Instead of providing standard username/password credentials or valid, cryptographically signed S3 authentication headers, the attacker crafts headers designed to hit the vulnerable code path.
  3. Exploiting the S3 Header Flaw: The attacker includes HTTP headers that mimic an AWS S3 authentication attempt. Key headers typically involved are:
    • Authorization: This header is crucial. It’s formatted similarly to an AWS Signature Version 4 request (e.g., AWS4-HMAC-SHA256 Credential=…). However, the critical part is the Credential field. The attacker sets the access key ID part (which CrushFTP interprets as the username in this context) to a string that explicitly does not contain a tilde (~) character. The rest of the credential string (date, region, service) and the signature part are syntactically present, but their cryptographic validity is irrelevant to the bypass. The signature does not need to be correct.
    • x-amz-date: Contains a timestamp in the required format.
    • x-amz-content-sha256: Often set to UNSIGNED-PAYLOAD or a similar value needed.
  4. Triggering the Bypass: When the vulnerable CrushFTP server receives this request:
    • It detects the Authorization header formatted like an AWS S4 request and enters the S3 authentication handling logic.
    • It extracts the “username” (the Access Key ID part) from the Credential string.
    • Crucially, it checks if this username contains a tilde (~). In the attacker’s crafted request, it does not.
    • Because there is no tilde, and the internal lookup_user_pass setting likely defaults to true in this scenario, CrushFTP incorrectly assumes it should proceed without validating the signature or requiring a corresponding password lookup for this “user”.
    • The authentication check is effectively bypassed.
  5. Gaining Access: If successful, the server grants access as if the attacker were authenticated. Depending on the specific endpoint targeted by the HTTP request (e.g., the root /, or a particular API endpoint), the attacker might receive a session cookie, see a directory listing, or gain the ability to execute further actions permitted by the bypassed authentication context.
  • PoC GET Request
    GET /WebInterface/function/?command=getUsername&c2f=NhGL HTTP/1.1
    Host: target-server:8081
    Cookie: CrushAuth=1743588345185_TdqEZOuStspD45Scu8tuYhLcrqNhGL; currentAuth=NhGL
    Authorization: AWS4-HMAC-SHA256 Credential=crushadmin/
  • A few details about the PoC:
    • The CrushAuth cookie need not be valid. It needs to be a string of 44 characters, with the first 13 being numbers, followed by an underscore ( _ ) and 30 alphanumeric characters.
    • The value of currentAuth is the same as the last four characters of CrushAuth.
    • c2f uses the vale of currentAuth
  • If the target is vulnerable, the expected outcome is typically an HTTP/1.1 200 OK response, with a one-line response as below indicating that the authentication bypass has succeeded.
    <loginResult><response>success</response><username>crushadmin</username></loginResult>
  • A non-vulnerable or patched server should return an error, such as 401 Unauthorized or 403 Forbidden.

Impact

Successful exploitation of CVE-2025-2825 presents severe risks to affected organizations. An unauthenticated attacker gaining access to a CrushFTP server can lead to significant data breaches, as these servers often manage the transfer and storage of sensitive corporate information. Unauthorized access could allow attackers to steal confidential files, intellectual property, customer data, or financial records. Beyond data theft, attackers might compromise the system’s integrity by modifying configurations, deleting critical data, or potentially using the compromised CrushFTP server as a pivot point to launch further attacks within the internal network, depending on the server’s privileges and network placement.

Affected Versions

The following specific versions and ranges of CrushFTP are confirmed vulnerable:

  • CrushFTP 10.x: Versions 10.0.0 up to, but not including, 10.8.4 (i.e., 10.0.0 through 10.8.3)
  • CrushFTP 11.x: Versions 11.0.0 up to, but not including, 11.3.1 (i.e., 11.0.0 through 11.3.0)

Exploitation Status

  • Proof-of-Concept (PoC): Public PoC exploit code is readily available.
  • Active Exploitation: Yes. Active scanning and exploitation attempts targeting CVE-2025-2825 were observed in the wild shortly after the PoC release (late March 2025).

Mitigation and Remediation

Immediate action is crucial for CVE-2025-2825 due to its critical severity and active exploitation.

  1. Patch Immediately: Upgrade CrushFTP to version 10.8.4+ or 11.3.1+. These versions correct the flawed authentication logic, making this the most effective solution.
  2. Temporary Workaround: If patching is delayed, enable the CrushFTP DMZ function. This can mitigate the risk by isolating the port but should not replace patching.

Instantly Fix Risks with SanerNow Patch Management

SanerNow patch management is a continuous, automated, and integrated software that instantly fixes risks exploited in the wild. The software supports major operating systems like Windows, Linux, and macOS, as well as 550+ third-party applications.

It also allows you to set up a safe testing area to test patches before deploying them in a primary production environment. SanerNow patch management additionally supports a patch rollback feature in case of patch failure or a system malfunction.

Experience the fastest and most accurate patching software here.