Administrators and security teams are urged to patch CrushFTP servers immediately following active exploitation of a critical zero-day vulnerability (CVE-2025-54309). The flaw allows unauthenticated attackers to gain administrative privileges via crafted HTTP requests, potentially leading to full server compromise. This article provides a technical analysis of the vulnerability, its exploitation, and mitigation strategies.
Executive Summary for Decision Makers
The CrushFTP vulnerability poses a significant risk to organizations using affected versions (10.0.0–10.8.3 and 11.0.0–11.3.0). With a CVSS score of 9.8, successful exploitation enables threat actors to bypass authentication entirely, execute arbitrary commands, and deploy ransomware. Multiple security firms have confirmed active exploitation in the wild.
- Affected Products: CrushFTP versions 10.x and 11.x before patches
- Exploitation Method: HTTP request manipulation with AWS4-HMAC-SHA256 header
- Primary Risk: Complete server takeover without credentials
- Patch Status: Fixed in v10.8.4 and v11.3.1
Technical Analysis of CVE-2025-54309
The vulnerability stems from improper authentication handling in the loginCheckHeaderAuth() function, where the anyPass flag can be triggered via a specially crafted CrushAuth cookie combined with an AWS-style authorization header. Research from Truesec and Rapid7 confirms this bypass technique works against default configurations.
Attackers can leverage this flaw to execute privileged operations such as user enumeration, file system access, and command execution. The following HTTP request demonstrates the exploitation pattern:
GET /WebInterface/function/?command=getUserList&c2f=1111 HTTP/1.1
Host: victim-server:8080
Cookie: CrushAuth=1743113839553_vD96EZ70ONL6xAd1DAJhXMZYMn1111
Authorization: AWS4-HMAC-SHA256 Credential=crushadmin/This request bypasses authentication checks and returns sensitive user data from the server. The vulnerability is particularly dangerous because it requires no user interaction or prior access.
Detection and Mitigation Strategies
Organizations should implement the following measures immediately:
| Action | Implementation |
|---|---|
| Patch Installation | Upgrade to CrushFTP v10.8.4+ or v11.3.1+ |
| Network Controls | Restrict access to CrushFTP web interfaces via firewall rules |
| Log Monitoring | Search for unauthorized crushadmin access attempts |
| DMZ Configuration | Enable DMZ Proxy mode as temporary workaround |
Security teams should also monitor for connections from known malicious IPs associated with exploitation attempts, including 172.235.144.67 and 2.58.56.16 as identified by threat researchers.
Historical Context and Related Threats
This vulnerability follows a pattern of critical flaws in CrushFTP, including CVE-2024-4040 which similarly allowed unauthenticated remote code execution. The recurrence of authentication bypass issues suggests systemic problems in the software’s security architecture.
Notably, the exploitation method shares characteristics with previous attacks against web interfaces, where header manipulation leads to privilege escalation. This incident reinforces the need for rigorous input validation in middleware components.
Conclusion
The CrushFTP zero-day represents a clear and present danger to organizations using vulnerable versions. Immediate patching is the only complete solution, though network segmentation and monitoring can reduce risk during the remediation process. This incident highlights the ongoing challenges of securing file transfer solutions against sophisticated attacks.
References
- “Critical Unauthenticated Access Vulnerability in CrushFTP (CVE-2025-2825)”, IONIX, 2025.
- “Critical Authentication Bypass Vulnerabilities (CVE-2025-2825, CVE-2025-31161) in CrushFTP”, Truesec, 2025.
- “ETR: Unauthenticated CrushFTP Zero-Day Enables Complete Server Compromise”, Rapid7, 2024.
- CrushFTP Security Advisory, CrushFTP, 2025.
