Security advisories

CrushFTP Authentication Bypass

April 2, 2025 | 2 MINS READ

Speak With A Security Expert Now

TALK TO AN EXPERT

THE THREAT

As of April 1st, 2025, eSentire has identified suspected exploitation of the critical CrushFTP authentication bypass vulnerability CVE-2025-2825.

On March 21st, CrushFTP disclosed CVE-2025-2825 (CVSS: 9.8), an authentication bypass vulnerability that could allow an attacker to gain unauthorized access through remote, unauthenticated HTTP requests sent to the CrushFTP server. Successful exploitation would allow for the theft of data stored on the server. On March 28th, ProjectDiscovery published a Proof-of-Concept (PoC) exploit code for the vulnerability. Shortly after the release of the PoC exploit code, exploitation attempts were detected by the Shadowserver Foundation.

As eSentire has now confirmed that exploitation is ongoing, it is critical that organizations using CrushFTP upgrade to a secure version immediately.

What we're doing about it

What you should do about it

Additional Information

CrushFTP is a widely used multi-protocol file transfer server. It facilitates file transfers via multiple protocols such as FTP, FTPES, SFTP, SCP, and HTTPS. On March 21st, CrushFTP alerted its customers about the critical authentication bypass vulnerability in the solution via email and issued a security update on the same day. Due to a delay in assigning a CVE by CrushFTP, the vulnerability was assigned CVE-2025-2825 by the security firm VulnCheck. CVE-2025-2825 is alternatively tracked as CVE-2025-31161 due to conflicting vulnerability submissions.

ProjectDiscovery states that exploiting CVE-2025-2825 is straightforward and requires minimal technical expertise. To exploit CVE-2025-2825, an attacker only needs to craft an HTTP request with an AWS S3-style authorization header, including a valid username followed by a slash, and a random CrushAuth cookie matching c2f parameter values. The flaw resides in the loginCheckHeaderAuth() method of the code responsible for handling HTTP requests with S3-style authorization headers.

On March 30th, the Shadowserver Foundation confirmed that 1,512 unpatched CrushFTP servers were exposed to the Internet. File transfer solutions have long been an attractive target for threat actors due to the data they handle and the availability of potentially exploitable public-facing devices.

With suspected ongoing exploitation observed by eSentire and the large number of insecure Internet-facing CrushFTP servers, it is critical that organizations promptly address the vulnerability by applying the recommended patches.

Impacted Versions List:

Observed Behaviors of Compromise:

Successful S3 authentication via AWS4-HMAC-SHA256 credentials for the crushadmin account from a Tor Exit Node

Indicators of Compromise
192[.]42[.]116[.]217 IP Address
185[.]220[.]101[.]52 IP Address
192[.]42[.]116[.]212 IP Address

References:

[1] https://www.crushftp.com/crush11wiki/Wiki.jsp?page=Update
[2] https://projectdiscovery.io/blog/crushftp-authentication-bypass#proof-of-concept
[3] https://nvd.nist.gov/vuln/detail/CVE-2025-2825
[4] https://x.com/Shadowserver/status/1906753539499520064

View Most Recent Advisories