CrushFTP Vulnerability Exploited in Attacks Following PoC Release
- С сайта: Vulnerability(cybersecuritynews.com)
- Вернуться к списку новостей
С сайта: Vulnerability(cybersecuritynews.com)
Security researchers have confirmed active exploitation attempts targeting the critical authentication bypass vulnerability in CrushFTP (CVE-2025-2825) following the public release of proof-of-concept exploit code.
Based on Shadowserver Foundation’s most recent monitoring data, approximately 1,512 unpatched instances remain vulnerable globally as of March 30, 2025, with North America hosting the majority (891) of these exposed servers.
The vulnerability, which carries a CVSS score of 9.8, affects CrushFTP versions 10.0.0 through 10.8.3 and 11.0.0 through 11.3.0.
First disclosed on March 26, 2025, it allows unauthenticated remote attackers to bypass authentication via a specially crafted HTTP request, potentially leading to complete system compromise.
“We are observing CrushFTP CVE-2025-2825 exploitation attempts based on publicly available PoC exploit code,” the Shadowserver Foundation announced in their recent advisory.
“We see ~1800 unpatched instances worldwide, with over 900 in the US.”
We are observing CrushFTP CVE-2025-2825 exploitation attempts based on publicly available PoC exploit code. You can track attempts on our Dashboard at https://t.co/PNW2ZzS9Gy
Still 1512 unpatched instances vulnerable to CVE-2025-2825 seen on 2025-03-30https://t.co/PNW2ZzS9Gy https://t.co/w0CkIHWxk8 pic.twitter.com/MCFnwsjmP0
— The Shadowserver Foundation (@Shadowserver) March 31, 2025
Technical Details of the Exploit
Security researchers at ProjectDiscovery published a detailed analysis revealing how attackers can exploit the vulnerability using a relatively simple three-step process:
The attack leverages three critical components:
The vulnerability stems from flawed authentication logic when processing S3-style requests, where the system incorrectly accepts the “crushadmin/” credential as valid without proper password verification.
The latest data from Shadowserver’s monitoring dashboard shows Europe hosting the second-largest number of vulnerable instances at 490, followed by Asia (62), Oceania (45), and both South America and Africa with 12 instances each.
Mitigation Strategies
CrushFTP released version 11.3.1 with critical fixes that address the vulnerability by:
Security experts recommend several immediate actions:
This vulnerability follows previous security issues in CrushFTP, including CVE-2023-43177, which similarly allowed unauthenticated attackers to access files and execute arbitrary code.
The recurring pattern of authentication vulnerabilities in file transfer solutions reflects a concerning trend, as attackers continue to target these critical infrastructure components as entry points into corporate networks. Organizations are urged to prioritize patching this vulnerability immediately.
#Cyber_Attack_Article #Cyber_Security #Cyber_Security_News #Vulnerability #cyber_security #cyber_security_news #vulnerability
Оригинальная версия на сайте:
CrushFTP Vulnerability Exploited in Attacks Following PoC Release
Author: KaaviyaSecurity researchers have confirmed active exploitation attempts targeting the critical authentication bypass vulnerability in CrushFTP (CVE-2025-2825) following the public release of proof-of-concept exploit code.
Based on Shadowserver Foundation’s most recent monitoring data, approximately 1,512 unpatched instances remain vulnerable globally as of March 30, 2025, with North America hosting the majority (891) of these exposed servers.
The vulnerability, which carries a CVSS score of 9.8, affects CrushFTP versions 10.0.0 through 10.8.3 and 11.0.0 through 11.3.0.
First disclosed on March 26, 2025, it allows unauthenticated remote attackers to bypass authentication via a specially crafted HTTP request, potentially leading to complete system compromise.
“We are observing CrushFTP CVE-2025-2825 exploitation attempts based on publicly available PoC exploit code,” the Shadowserver Foundation announced in their recent advisory.
“We see ~1800 unpatched instances worldwide, with over 900 in the US.”
We are observing CrushFTP CVE-2025-2825 exploitation attempts based on publicly available PoC exploit code. You can track attempts on our Dashboard at https://t.co/PNW2ZzS9Gy
Still 1512 unpatched instances vulnerable to CVE-2025-2825 seen on 2025-03-30https://t.co/PNW2ZzS9Gy https://t.co/w0CkIHWxk8 pic.twitter.com/MCFnwsjmP0
— The Shadowserver Foundation (@Shadowserver) March 31, 2025
Technical Details of the Exploit
Security researchers at ProjectDiscovery published a detailed analysis revealing how attackers can exploit the vulnerability using a relatively simple three-step process:
The attack leverages three critical components:
- A spoofed AWS header that exploits CrushFTP’s S3 protocol handling with the default “crushadmin” username
- A fabricated cookie with a specific 44-character CrushAuth value
- Parameter manipulation using the c2f parameter to bypass password verification checks
The vulnerability stems from flawed authentication logic when processing S3-style requests, where the system incorrectly accepts the “crushadmin/” credential as valid without proper password verification.
The latest data from Shadowserver’s monitoring dashboard shows Europe hosting the second-largest number of vulnerable instances at 490, followed by Asia (62), Oceania (45), and both South America and Africa with 12 instances each.
Mitigation Strategies
CrushFTP released version 11.3.1 with critical fixes that address the vulnerability by:
- Disabling insecure S3 password lookup by default
- Adding a security parameter “s3_auth_lookup_password_supported=false”
- Implementing proper authentication flow checks
Security experts recommend several immediate actions:
- Upgrade to CrushFTP version 11.3.1+ or 10.8.4+ immediately
- Enable the DMZ feature as a temporary mitigation if immediate patching is not possible
- Use ProjectDiscovery’s free detection tool: nuclei -t https://cloud.projectdiscovery.io/public/CVE-2025-2825
- Audit server logs for suspicious GET requests to /WebInterface/function/
This vulnerability follows previous security issues in CrushFTP, including CVE-2023-43177, which similarly allowed unauthenticated attackers to access files and execute arbitrary code.
The recurring pattern of authentication vulnerabilities in file transfer solutions reflects a concerning trend, as attackers continue to target these critical infrastructure components as entry points into corporate networks. Organizations are urged to prioritize patching this vulnerability immediately.
#Cyber_Attack_Article #Cyber_Security #Cyber_Security_News #Vulnerability #cyber_security #cyber_security_news #vulnerability
Оригинальная версия на сайте:
