.png){kind=logo}
CrushFTP CVE-2025-2825 Vulnerability: Critical Authentication Bypass Exploit and Mitigation Strategies
- Rescana
- Apr 1
- 3 min read
Executive Summary
The CVE-2025-2825 vulnerability in CrushFTP, a multi-protocol file transfer server, presents a significant security risk. This critical authentication bypass vulnerability affects versions 10.0.0 through 10.8.3 and 11.0.0 through 11.3.0, potentially allowing unauthorized access to sensitive data and systems. This report details the technical nature of the vulnerability, its exploitation, and provides guidance on mitigation strategies to safeguard your infrastructure.
Technical Information
The CVE-2025-2825 vulnerability resides in the
To exploit this vulnerability, an attacker can craft a malicious AWS S3-style authorization header containing a valid username. This crafted header bypasses password verification, effectively granting the attacker unauthorized access to the system. A proof of concept for this exploit involves sending an HTTP GET request with a specifically formatted authorization header and a CrushAuth cookie to trigger the vulnerability.
This flaw highlights the critical nature of parameter handling and separation of concerns within security-critical code. The improper implementation of authentication mechanisms can lead to severe breaches, underscoring the importance of rigorous code review and testing.
Exploitation in the Wild
Actors exploiting this vulnerability can gain complete access to affected servers. This access enables them to manipulate files, upload malicious content, and even create admin-level user accounts. Indicators of Compromise (IOCs) include unauthorized access logs, unexpected modifications to user accounts, and unusual file uploads.
APT Groups using this vulnerability
At present, there is no specific information about Advanced Persistent Threat (APT) groups actively exploiting CVE-2025-2825. However, given the nature of the vulnerability, it is advisable to remain vigilant for any threat actor activity targeting sectors where CrushFTP is widely deployed.
Affected Product Versions
The vulnerable versions of CrushFTP include 10.0.0 through 10.8.3 and 11.0.0 through 11.3.0. Organizations utilizing these versions are at risk and should consider immediate action to protect their systems.
Workaround and Mitigation
CrushFTP has addressed this vulnerability in version 11.3.1. The update introduces a new security parameter,
For detection purposes, a Nuclei Template is available to identify vulnerable CrushFTP instances. This template attempts to exploit the authentication bypass to access the user list API and checks for a successful HTTP 200 response containing user data. The template can be accessed via this link: https://cloud.projectdiscovery.io/public/CVE-2025-2825.
References
- Detailed information on the vulnerability is available in the ProjectDiscovery Blog on CrushFTP Authentication Bypass.
- Further insights and details can be found in the National Vulnerability Database Details for CVE-2025-2825.
- CrushFTP's official updates and patch notes are available at CrushFTP Official Updates.
Rescana is here for you
At Rescana, we are committed to helping our clients manage cybersecurity risks effectively. Our Third Party Risk Management (TPRM) platform provides comprehensive solutions to identify, assess, and mitigate vulnerabilities in your supply chain. Should you have any questions or require further assistance, please do not hesitate to reach out to us at ops@rescana.com. We are here to support you in navigating the complex landscape of cybersecurity threats.