Security researchers have confirmed active exploitation attempts targeting the critical authentication bypass vulnerability in CrushFTP (CVE-2025-2825) following the public release of proof-of-concept exploit code. 

Based on Shadowserver Foundation’s most recent monitoring data, approximately 1,512 unpatched instances remain vulnerable globally as of March 30, 2025, with North America hosting the majority (891) of these exposed servers.

The vulnerability, which carries a CVSS score of 9.8, affects CrushFTP versions 10.0.0 through 10.8.3 and 11.0.0 through 11.3.0. 

First disclosed on March 26, 2025, it allows unauthenticated remote attackers to bypass authentication via a specially crafted HTTP request, potentially leading to complete system compromise.

“We are observing CrushFTP CVE-2025-2825 exploitation attempts based on publicly available PoC exploit code,” the Shadowserver Foundation announced in their recent advisory. 

“We see ~1800 unpatched instances worldwide, with over 900 in the US.”

We are observing CrushFTP CVE-2025-2825 exploitation attempts based on publicly available PoC exploit code. You can track attempts on our Dashboard at https://t.co/PNW2ZzS9GyStill 1512 unpatched instances vulnerable to CVE-2025-2825 seen on 2025-03-30https://t.co/PNW2ZzS9Gy https://t.co/w0CkIHWxk8 pic.twitter.com/MCFnwsjmP0— The Shadowserver Foundation (@Shadowserver) March 31, 2025

Technical Details of the Exploit

Security researchers at ProjectDiscovery published a detailed analysis revealing how attackers can exploit the vulnerability using a relatively simple three-step process:

The attack leverages three critical components:

A spoofed AWS header that exploits CrushFTP’s S3 protocol handling with the default “crushadmin” username

A fabricated cookie with a specific 44-character CrushAuth value

Parameter manipulation using the c2f parameter to bypass password verification checks

The vulnerability stems from flawed authentication logic when processing S3-style requests, where the system incorrectly accepts the “crushadmin/” credential as valid without proper password verification.

The latest data from Shadowserver’s monitoring dashboard shows Europe hosting the second-largest number of vulnerable instances at 490, followed by Asia (62), Oceania (45), and both South America and Africa with 12 instances each.

Mitigation Strategies

CrushFTP released version 11.3.1 with critical fixes that address the vulnerability by:

Disabling insecure S3 password lookup by default

Adding a security parameter “s3_auth_lookup_password_supported=false”

Implementing proper authentication flow checks

Security experts recommend several immediate actions:

Upgrade to CrushFTP version 11.3.1+ or 10.8.4+ immediately

Enable the DMZ feature as a temporary mitigation if immediate patching is not possible

Use ProjectDiscovery’s free detection tool: nuclei -t https://cloud.projectdiscovery.io/public/CVE-2025-2825

Audit server logs for suspicious GET requests to /WebInterface/function/

This vulnerability follows previous security issues in CrushFTP, including CVE-2023-43177, which similarly allowed unauthenticated attackers to access files and execute arbitrary code. 

The recurring pattern of authentication vulnerabilities in file transfer solutions reflects a concerning trend, as attackers continue to target these critical infrastructure components as entry points into corporate networks. Organizations are urged to prioritize patching this vulnerability immediately.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup – Try for Free