Cybersecurity Threat Advisory: Critical CrushFTP vulnerability

What is the threat?

The vulnerability stems from an improper authentication implementation (CWE-287) in CrushFTP’s HTTP request handler. Specifically, the issue lies in the loginCheckHeaderAuth() mechanism, which mishandles AWS S3-style authentication headers. Under certain conditions, the server allows authentication to succeed without validating the password. The root cause is a logic error involving an internal flag named ‘anyPass,’ which activates when a username lacking a tilde (~) character appears in the authentication header. With this flag active, the server bypasses the password check entirely.

This critical flaw allows an attacker to craft a specially designed HTTP request that completely bypasses authentication, granting them the same access privileges as a legitimate administrator. It affects CrushFTP versions 10.0.0 through 10.8.3 and 11.0.0 through 11.3.0.

Why is this noteworthy?

CVE-2025-2825 is easily exploitable with minimal technical expertise. An attacker only needs network access to the HTTP/S interface of a vulnerable CrushFTP server—no credentials are required. Malicious actors can exploit the flaw in the CrushFTP Web Interface by crafting an HTTP request with a forged AWS S3 Authorization header and a specially formatted CrushAuth cookie to target default usernames like “crushadmin.”

When the server processes the request, it sets the anyPass flag to true because the username “crushadmin” lacks a tilde character. This triggers the authentication logic to accept any password (or no password at all), bypassing the authentication system entirely.

The server then responds with a successful HTTP 200 status code and returns the requested data (such as a list of user accounts). At this point, the attacker gains the same privileges as an administrator, enabling access to sensitive files, uploading malicious content, creating backdoor accounts, or performing other administrative functions.

Multiple security firms have released proof-of-concept (PoC) exploits and automated scan tools for this vulnerability. The widespread availability of these exploitation tools means that even low-skilled attackers can easily target affected systems.

What is the exposure or risk?

The impact of CVE-2025-2825 can be severe, with significant impact across the confidentiality, integrity, and availability of data. Upon a successful exploitation, attackers can access and exfiltrate sensitive data stored on the CrushFTP server, including confidential files, intellectual property, or customer information. Additionally, malicious actors can modify, delete, replace legitimate files, inject malware into downloadable content, or alter files or server settings for lateral movements.

What are the recommendations?

Barracuda strongly recommends that organizations take the following actions to protect their environment:

Update your CrushFTP installation to a patched version: 11.3.1 or later, 10.8.4 or later, 11.2.3_19
Configure firewall rules or cloud security groups to restrict incoming traffic to CrushFTP’s HTTP/S ports (typically 8080 or 443) and allow only trusted IP addresses.
Review the CrushFTP server logs for indications of unauthorized access, with special attention to default accounts.
Change default passwords and, where possible, rename or disable default accounts.
Review your CrushFTP user permissions and server access rights.
Implement vulnerability scanning to detect unpatched instances. Community-provided detection tools, like the Nuclei template for CVE-2025-2825, can assist in identifying vulnerable servers.

References

For more in-depth information about the recommendations, please visit the following links:

If you have any questions about this Cybersecurity Threat Advisory, don’t hesitate to get in touch with Barracuda Managed XDR’s Security Operations Center.

Categories

Tags

Archives