CVE-2025-2825 – Authentication Bypass in CrushFTP
A critical vulnerability, CVE-2025-2825, has been identified in CrushFTP. This vulnerability allows remote unauthenticated access via specially crafted HTTP(S) requests, bypassing authentication checks through a flaw in the loginCheckHeaderAuth() method. It affects instances with S3-compatible API access enabled and can be exploited with knowledge of a valid username. This issue has been patched in CrushFTP 11.3.1, and users are strongly advised to upgrade. The IONIX research team developed and tested an exploit simulation on relevant assets to verify the vulnerability’s impact and assess potential exposure. The findings are detailed in this post.
References: