CrushFTP Vulnerability Exploited in Attacks Following PoC Release

Security researchers have confirmed active exploitation attempts targeting the critical authentication bypass vulnerability in CrushFTP (CVE-2025-2825) following the public release of proof-of-concept exploit code. 

Based on Shadowserver Foundation’s most recent monitoring data, approximately 1,512 unpatched instances remain vulnerable globally as of March 30, 2025, with North America hosting the majority (891) of these exposed servers.

The vulnerability, which carries a CVSS score of 9.8, affects CrushFTP versions 10.0.0 through 10.8.3 and 11.0.0 through 11.3.0. 

First disclosed on March 26, 2025, it allows unauthenticated remote attackers to bypass authentication via a specially crafted HTTP request, potentially leading to complete system compromise.

“We are observing CrushFTP CVE-2025-2825 exploitation attempts based on publicly available PoC exploit code,” the Shadowserver Foundation announced in their recent advisory. 

“We see ~1800 unpatched instances worldwide, with over 900 in the US.”

Technical Details of the Exploit

Security researchers at ProjectDiscovery published a detailed analysis revealing how attackers can exploit the vulnerability using a relatively simple three-step process:

The attack leverages three critical components:

• A spoofed AWS header that exploits CrushFTP’s S3 protocol handling with the default “crushadmin” username
• A fabricated cookie with a specific 44-character CrushAuth value
• Parameter manipulation using the c2f parameter to bypass password verification checks

The vulnerability stems from flawed authentication logic when processing S3-style requests, where the system incorrectly accepts the “crushadmin/” credential as valid without proper password verification.

The latest data from Shadowserver’s monitoring dashboard shows Europe hosting the second-largest number of vulnerable instances at 490, followed by Asia (62), Oceania (45), and both South America and Africa with 12 instances each.

Mitigation Strategies

CrushFTP released version 11.3.1 with critical fixes that address the vulnerability by:

• Disabling insecure S3 password lookup by default
• Adding a security parameter “s3_auth_lookup_password_supported=false”
• Implementing proper authentication flow checks

Security experts recommend several immediate actions:

• Upgrade to CrushFTP version 11.3.1+ or 10.8.4+ immediately
• Enable the DMZ feature as a temporary mitigation if immediate patching is not possible
• Use ProjectDiscovery’s free detection tool: nuclei -t https://cloud.projectdiscovery.io/public/CVE-2025-2825
• Audit server logs for suspicious GET requests to /WebInterface/function/

This vulnerability follows previous security issues in CrushFTP, including CVE-2023-43177, which similarly allowed unauthenticated attackers to access files and execute arbitrary code. 

The recurring pattern of authentication vulnerabilities in file transfer solutions reflects a concerning trend, as attackers continue to target these critical infrastructure components as entry points into corporate networks. Organizations are urged to prioritize patching this vulnerability immediately.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free