A critical security flaw in CrushFTP, identified as CVE-2025-2825, is currently being actively exploited by cyber attackers. This vulnerability, which has a CVSS score of 9.8, affects CrushFTP versions 10.0.0 through 10.8.3 and 11.0.0 through 11.3.0. It allows unauthenticated remote attackers to bypass authentication via specially crafted HTTP requests, potentially leading to full system compromise.
The Shadowserver Foundation has reported approximately 1,512 unpatched CrushFTP instances worldwide as of March 30, 2025, with North America hosting the majority (891) of these exposed servers. The organization has observed exploitation attempts based on publicly available proof-of-concept (PoC) exploit code.
Security researchers at ProjectDiscovery have detailed the exploitation process, which involves:
– A spoofed AWS header exploiting CrushFTP’s S3 protocol handling with the default crushadmin username.
– A fabricated cookie with a specific 44-character CrushAuth value.
– Parameter manipulation using the c2f parameter to bypass password verification checks.
The vulnerability arises from flawed authentication logic when processing S3-style requests, where the system incorrectly accepts the crushadmin/ credential as valid without proper password verification.
In response, CrushFTP has released version 11.3.1, which addresses the vulnerability by:
– Disabling insecure S3 password lookup by default.
– Adding a security parameter s3_auth_lookup_password_supported=false.
– Implementing proper authentication flow checks.
Security experts recommend immediate actions, including upgrading to CrushFTP version 11.3.1 or later, enabling the DMZ feature as a temporary mitigation if immediate patching is not possible, using ProjectDiscovery’s free detection tool, and auditing server logs for suspicious GET requests to /WebInterface/function/.
This vulnerability follows previous security issues in CrushFTP, such as CVE-2023-43177, which allowed unauthenticated attackers to access files and execute arbitrary code. The recurring pattern of authentication vulnerabilities in file transfer solutions highlights the need for organizations to prioritize patching and securing these critical infrastructure components.
