CrushFTP Vulnerability Lets Hackers Bypass Security and Seize Server Control

A newly disclosed authentication bypass vulnerability (CVE-2025-2825) in CrushFTP file transfer software enables attackers to gain complete control of servers without valid credentials.

The vulnerability affects versions 10.0.0 through 11.3.0 of the popular enterprise file transfer solution, exposing organizations to data theft and system compromise.

The Exploit: Bypassing Security in 3 Steps

Security researchers have revealed how attackers can exploit this vulnerability using a simple HTTP request:

GET /WebInterface/function/?command=getUserList&c2f=1111 HTTP/1.1

Host: target-server:8081

Cookie: CrushAuth=1743113839553_vD96EZ70ONL6xAd1DAJhXMZYMn1111

Authorization: AWS4-HMAC-SHA256 Credential=crushadmin/

This attack combines three critical components:

1. Spoofed AWS Header: Uses CrushFTP’s S3 protocol handling with a crushadmin username
2. Fabricated Cookie: Requires a 44-character CrushAuth value with matching 4-digit code (1111 in this example)
3. Parameter Manipulation: Leverages the c2f parameter to bypass password checks

The vulnerability stems from flawed authentication logic when processing S3-style requests:

• System mistakes crushadmin/ credential as valid without password verification
• Special cookie format tricks servers into accepting unauthenticated sessions
• Attackers can then execute admin commands, including:
  • Downloading sensitive files
  • Creating new administrator accounts
  • Uploading malicious payloads

Security analysts confirm that 75% of CrushFTP instances remain unpatched as of March 31, 2025, despite fixes being available since March 26.

Detection and Mitigation

CrushFTP released version 11.3.1 with crucial fixes:

• Disabled insecure S3 password lookup by default
• Added security parameter s3_auth_lookup_password_supported=false
• Implemented proper authentication flow checks

Immediate Action Required:

1. Upgrade to CrushFTP ≥11.3.1 or ≥10.8.3
2. Use ProjectDiscovery’s free detection tool:

nuclei -t https://cloud.projectdiscovery.io/public/CVE-2025-2825

3. Audit server logs for suspicious GET requests to /WebInterface/function/

This vulnerability highlights three critical security lessons:

1. Protocol Interaction Risks: Mixed authentication methods (S3 + cookies) create attack surfaces
2. Default Configuration Dangers: Overly permissive defaults remain a systemic issue
3. Response Time Gaps: 5-day patch adoption window leaves organizations exposed

Security teams should implement web application firewalls to block malformed S3 headers while patching. CrushFTP servers exposed to the internet should be considered high-risk until updated.

Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates!