Company

ABOUT ESENTIRE

eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 2000+ organizations in 80+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events.

About Us →

Leadership →

Careers →

Event Calendar →

Newsroom →

Aston Villa Football Club →

EVENT CALENDAR

Apr

Elevate IT Technology Summit Tampa

Apr

ILTA Evolve

Apr

RSAC™ 2025 Conference

May

SIM Houston Women's Roundtable

May

Computing Cybersecurity Festival

View Calendar →

LATEST PRESS RELEASE

Mar 06, 2025

eSentire Unleashes AI-Driven Atlas Nexus Network, Empowering Cybersecurity Partners to Build Differentiated Security Services at Scale

View Newsroom →

OUR PARTNERSHIPS

Aston Villa Football Club

AVFC takes its cyber protection to the Next Level with eSentire as its official cybersecurity partner.

Learn More

Speak With A Security Expert Now

TALK TO AN EXPERT

THE THREAT

As of April 1st, 2025, eSentire has identified suspected exploitation of the critical CrushFTP authentication bypass vulnerability CVE-2025-2825.

On March 21st, CrushFTP disclosed CVE-2025-2825 (CVSS: 9.8), an authentication bypass vulnerability that could allow an attacker to gain unauthorized access through remote, unauthenticated HTTP requests sent to the CrushFTP server. Successful exploitation would allow for the theft of data stored on the server. On March 28th, ProjectDiscovery published a Proof-of-Concept (PoC) exploit code for the vulnerability. Shortly after the release of the PoC exploit code, exploitation attempts were detected by the Shadowserver Foundation.

As eSentire has now confirmed that exploitation is ongoing, it is critical that organizations using CrushFTP upgrade to a secure version immediately.

What we're doing about it

eSentire’s Tactical Threat Response (TTR) team has developed new detections to identify exploitation attempts via eSentire MDR for Network
eSentire's Threat Response Unit has performed threat hunts across the eSentire customer base for known signs of exploitation
Known malicious IP addresses have been added to eSentire’s Global Block List
eSentire Managed Vulnerability Service (MVS) will add the relevant plugins to detect this vulnerability as they become available
The eSentire Threat Intelligence team is actively tracking this topic for additional details and detection opportunities

What you should do about it

After performing a business impact review, apply the relevant security patches
- Upgrade to versions 10.8.4 or later, and 11.3.1 or later
- If patching is not feasible, CrushFTP recommends enabling the DMZ perimeter network feature on the software until the patches are installed
Implement network-level access controls to restrict server connections to trusted devices

Additional Information

CrushFTP is a widely used multi-protocol file transfer server. It facilitates file transfers via multiple protocols such as FTP, FTPES, SFTP, SCP, and HTTPS. On March 21st, CrushFTP alerted its customers about the critical authentication bypass vulnerability in the solution via email and issued a security update on the same day. Due to a delay in assigning a CVE by CrushFTP, the vulnerability was assigned CVE-2025-2825 by the security firm VulnCheck. CVE-2025-2825 is alternatively tracked as CVE-2025-31161 due to conflicting vulnerability submissions.

ProjectDiscovery states that exploiting CVE-2025-2825 is straightforward and requires minimal technical expertise. To exploit CVE-2025-2825, an attacker only needs to craft an HTTP request with an AWS S3-style authorization header, including a valid username followed by a slash, and a random CrushAuth cookie matching c2f parameter values. The flaw resides in the loginCheckHeaderAuth() method of the code responsible for handling HTTP requests with S3-style authorization headers.

On March 30th, the Shadowserver Foundation confirmed that 1,512 unpatched CrushFTP servers were exposed to the Internet. File transfer solutions have long been an attractive target for threat actors due to the data they handle and the availability of potentially exploitable public-facing devices.

With suspected ongoing exploitation observed by eSentire and the large number of insecure Internet-facing CrushFTP servers, it is critical that organizations promptly address the vulnerability by applying the recommended patches.

Impacted Versions List:

CrushFTP versions 10.0.0 through 10.8.3
CrushFTP versions 11.0.0 through 11.3.0

Observed Behaviors of Compromise:

Successful S3 authentication via AWS4-HMAC-SHA256 credentials for the crushadmin account from a Tor Exit Node

<14>Mar 30 23:12:53 *-*-* CrushFTP.log:STOR|03/30/2025 23:12:53.380|[HTTPS:189247_56677:crushadmin:185[.]220[.]101[.]52] WROTE: *230 Password OK. Connected.*
<14>Mar 30 23:12:53 *-*-* CrushFTP.log:POST|03/30/2025 23:12:53.267|[HTTPS:189247_56677_p66::185[.]220[.]101[.]52] READ: *Authorization: AWS4-HMAC-SHA256 Credential=crushadmin/*

Indicators of Compromise
192[.]42[.]116[.]217	IP Address
185[.]220[.]101[.]52	IP Address
192[.]42[.]116[.]212	IP Address

References:

[1] https://www.crushftp.com/crush11wiki/Wiki.jsp?page=Update
[2] https://projectdiscovery.io/blog/crushftp-authentication-bypass#proof-of-concept
[3] https://nvd.nist.gov/vuln/detail/CVE-2025-2825
[4] https://x.com/Shadowserver/status/1906753539499520064

ESENTIRE SERVICES

Managed Detection and Response

All-In-One MDR Solution →

MDR for Microsoft →

MDR for GenAI →

Digital Forensics and Incident Response

Continuous Threat Exposure Management (CTEM)

PLATFORM, PEOPLE AND RESPONSE

Security Operations Center (SOC)

Extended Detection and Response (XDR)

Technology Integrations

Threat Response Unit (TRU)

Cyber Resilience Team

Response and Remediation

MDR Packages and 24/7 Protection

MDR Pricing and Packages

Atlas Essentials

Atlas Advanced

Atlas Complete

24/7 Coverage

Endpoint

Network

Log

Cloud

Identity

INDUSTRIES

Insurance

Construction

Finance

Legal

Manufacturing

Private Equity

Healthcare

Retail

Food Supply

Government and Education

Automotive Dealerships

USE CASES

Ransomware

Cybersecurity Compliance

Zero Day Attacks

Cloud Misconfiguration

Third-Party Risk

Do More With Less

Cyber Risk

Cyber Insurance

Sensitive Data Security

Security Leadership

Cyber Threat Intelligence

From The Blog

The Long and Short(cut) of It: KoiLoader Analysis

From Access to Encryption: Dissecting Hunters International's Latest…

eSentire and Qylis Form Strategic Partnership to Deliver Compliant…

Resources

Case Studies

TRU Intelligence Center

Cybersecurity Tools

Videos

Reports

Webinars

Data Sheets

Real vs. Fake MDR

Compare MDR Vendors

Blogs

Security Advisories

SECURITY ADVISORIES

CrushFTP Authentication Bypass

Critical Next.js Vulnerability (CVE-2025-29927)