CrushFTP Authentication Bypass Vulnerability Under Active Exploitation
A critical authentication bypass in CrushFTP allows unauthenticated attackers to access administrative functions through crafted HTTP requests, with exploitation already observed in the wild.
CVE References
Affected
What happened: CrushFTP disclosed a critical authentication bypass vulnerability that allows unauthenticated attackers to gain access to CrushFTP server instances exposed to the internet. The vendor confirmed active exploitation and urged all users to update immediately. Security monitoring organizations detected widespread scanning activity targeting CrushFTP instances following public disclosure.
Technical details: CVE-2025-2825 is an authentication bypass that allows remote unauthenticated access to CrushFTP servers through manipulation of HTTP request parameters. The vulnerability enables attackers to access server functionality as an authenticated user without providing valid credentials. Exploitation is straightforward and does not require specialized tools, which has led to rapid adoption by threat actors. CrushFTP servers exposed to HTTP(S) ports on the internet are directly vulnerable.
Who is affected: Organizations running CrushFTP versions prior to 10.8.4 or 11.3.1 that have their web interface accessible from the internet. CrushFTP is commonly used by enterprises for managed file transfer, often handling sensitive business documents and data. The Shadowserver Foundation identified thousands of internet-exposed CrushFTP instances.
What defenders should do: Update CrushFTP to version 10.8.4 or 11.3.1 immediately. If patching is not immediately possible, enable the DMZ proxy feature which provides a protective layer in front of the main CrushFTP instance. Restrict web interface access to trusted networks via firewall rules. Audit file transfer logs for unauthorized access during the exposure window.
Broader implications: File transfer solutions continue to be high-value targets for threat actors, following the pattern set by MOVEit, GoAnywhere, and Accellion FTA breaches in previous years. These platforms often contain sensitive data and bridge internal and external networks, making them ideal initial access points for data exfiltration and ransomware operations.
Sources