THE THREAT
As of April 1st, 2025, eSentire has identified suspected exploitation of the critical CrushFTP authentication bypass vulnerability CVE-2025-2825.
On March 21st, CrushFTP disclosed CVE-2025-2825 (CVSS: 9.8), an authentication bypass vulnerability that could allow an attacker to gain unauthorized access through remote, unauthenticated HTTP requests sent to the CrushFTP server. Successful exploitation would allow for the theft of data stored on the server. On March 28th, ProjectDiscovery published a Proof-of-Concept (PoC) exploit code for the vulnerability. Shortly after the release of the PoC exploit code, exploitation attempts were detected by the Shadowserver Foundation.
As eSentire has now confirmed that exploitation is ongoing, it is critical that organizations using CrushFTP upgrade to a secure version immediately.
What we're doing about it
-
eSentire’s Tactical Threat Response (TTR) team has developed new detections to identify exploitation attempts via eSentire MDR for Network
-
eSentire's Threat Response Unit has performed threat hunts across the eSentire customer base for known signs of exploitation
-
Known malicious IP addresses have been added to eSentire’s Global Block List
-
eSentire Managed Vulnerability Service (MVS) will add the relevant plugins to detect this vulnerability as they become available
-
The eSentire Threat Intelligence team is actively tracking this topic for additional details and detection opportunities
What you should do about it
-
After performing a business impact review, apply the relevant security patches
-
Upgrade to versions 10.8.4 or later, and 11.3.1 or later
-
If patching is not feasible, CrushFTP recommends enabling the DMZ perimeter network feature on the software until the patches are installed
-
Implement network-level access controls to restrict server connections to trusted devices
Additional Information
CrushFTP is a widely used multi-protocol file transfer server. It facilitates file transfers via multiple protocols such as FTP, FTPES, SFTP, SCP, and HTTPS. On March 21st, CrushFTP alerted its customers about the critical authentication bypass vulnerability in the solution via email and issued a security update on the same day. Due to a delay in assigning a CVE by CrushFTP, the vulnerability was assigned CVE-2025-2825 by the security firm VulnCheck. CVE-2025-2825 is alternatively tracked as CVE-2025-31161 due to conflicting vulnerability submissions.
ProjectDiscovery states that exploiting CVE-2025-2825 is straightforward and requires minimal technical expertise. To exploit CVE-2025-2825, an attacker only needs to craft an HTTP request with an AWS S3-style authorization header, including a valid username followed by a slash, and a random CrushAuth cookie matching c2f parameter values. The flaw resides in the loginCheckHeaderAuth() method of the code responsible for handling HTTP requests with S3-style authorization headers.
On March 30th, the Shadowserver Foundation confirmed that 1,512 unpatched CrushFTP servers were exposed to the Internet. File transfer solutions have long been an attractive target for threat actors due to the data they handle and the availability of potentially exploitable public-facing devices.
With suspected ongoing exploitation observed by eSentire and the large number of insecure Internet-facing CrushFTP servers, it is critical that organizations promptly address the vulnerability by applying the recommended patches.
Impacted Versions List:
-
CrushFTP versions 10.0.0 through 10.8.3
-
CrushFTP versions 11.0.0 through 11.3.0
Observed Behaviors of Compromise:
Successful S3 authentication via AWS4-HMAC-SHA256 credentials for the crushadmin account from a Tor Exit Node
-
<14>Mar 30 23:12:53 *-*-* CrushFTP.log:STOR|03/30/2025 23:12:53.380|[HTTPS:189247_56677:crushadmin:185[.]220[.]101[.]52] WROTE: *230 Password OK. Connected.*
-
<14>Mar 30 23:12:53 *-*-* CrushFTP.log:POST|03/30/2025 23:12:53.267|[HTTPS:189247_56677_p66::185[.]220[.]101[.]52] READ: *Authorization: AWS4-HMAC-SHA256 Credential=crushadmin/*
|
Indicators of Compromise
|
|
192[.]42[.]116[.]217
|
IP Address
|
|
185[.]220[.]101[.]52
|
IP Address
|
|
192[.]42[.]116[.]212
|
IP Address
|
References:
[1] https://www.crushftp.com/crush11wiki/Wiki.jsp?page=Update
[2] https://projectdiscovery.io/blog/crushftp-authentication-bypass#proof-of-concept
[3] https://nvd.nist.gov/vuln/detail/CVE-2025-2825
[4] https://x.com/Shadowserver/status/1906753539499520064
