Critical CrushFTP Authentication Bypass Vulnerability Now Under Active Exploitation

A critical authentication bypass vulnerability in CrushFTP file transfer software has been identified and is now being actively exploited by attackers. The vulnerability, tracked as CVE-2025-2825, allows remote attackers to gain unauthenticated access to devices running unpatched CrushFTP v10 or v11 software.

  Who Identified the Vulnerability

The security flaw was responsibly disclosed by researchers at Outpost24. However, there appears to be some confusion regarding the CVE identifier assigned to this vulnerability. While vulnerability intelligence firm VulnCheck assigned it CVE-2025-2825, CrushFTP has stated that the “real CVE is pending” and later indicated that Outpost24 assigned it CVE-2025-31161. Despite this disagreement, the cybersecurity industry has largely adopted CVE-2025-2825 as the tracking identifier.

  Criticality and Technical Details

The vulnerability received a CVSS score of 9.8, categorizing it as critical due to its low complexity and severe potential impact. It affects CrushFTP versions 10.0.0 through 10.8.3 and 11.0.0 through 11.3.0.

The core issue involves a parameter overloading in the authentication system, where a flag meant for password lookup (lookup_user_pass) was reused as an authentication bypass control (anyPass). This implementation error allows attackers to bypass password validation entirely when accessing the server. An attacker only needs to craft an HTTP request with an AWS S3-style authorization header containing a valid username and a specially formatted CrushAuth cookie.

  Current Exploitation Status

The Shadowserver Foundation has detected dozens of exploitation attempts targeting internet-exposed CrushFTP servers, with over 1,500 vulnerable instances exposed online as of March 30, 2025. The exploitation attempts are based on publicly available proof-of-concept code published by ProjectDiscovery, which released technical details and an exploit for the vulnerability.

By March 31, 2025, the number of vulnerable instances had dropped by a few hundred, but Shadowserver’s honeypots were still detecting exploitation attempts.

  CrushFTP’s Comments and Response

CrushFTP urged customers to “take immediate action to patch ASAP” in an email sent on Friday, March 21, when it released patches to address the security flaw. As a workaround, administrators who cannot immediately update are advised to enable the DMZ (demilitarized zone) perimeter network option to protect their CrushFTP servers until they can patch.

CrushFTP has expressed significant displeasure with the security firms that released technical details about the vulnerability. The company told SecurityWeek that those who released technical details are to blame for the vulnerability being weaponized and for companies being targeted so soon after disclosure. CrushFTP described these security firms as “bad actors.”

  Available Fixes

CrushFTP addressed this vulnerability in version 11.3.1 by adding a new security parameter s3_auth_lookup_password_supported set to false by default and implementing proper security checks in the authentication flow. Organizations using CrushFTP are strongly advised to upgrade immediately to version 11.3.1 or later. The company has provided a straightforward update process through its dashboard, which takes approximately 5 minutes to complete. Offline update methods are also available for systems without direct internet access.

  Historical Context

This is not the first time CrushFTP has faced serious security issues. In April 2024, CrushFTP patched an actively exploited zero-day vulnerability (tracked as CVE-2024-4040) that allowed unauthenticated attackers to escape the user’s virtual file system and download system files. At that time, cybersecurity company CrowdStrike found evidence suggesting the campaign targeting CrushFTP servers at multiple U.S. organizations was likely politically motivated and focused on intelligence-gathering.

 How CinchOps Can Secure Your Business

In light of this critical vulnerability and the increasing targeting of file transfer products by ransomware gangs and threat actors, it’s clear that robust security measures are essential. CinchOps offers comprehensive security solutions to protect your business:

1. Vulnerability Management: We provide continuous monitoring and rapid patching of critical vulnerabilities like the CrushFTP authentication bypass.
2. Security Assessment: Our team conducts thorough evaluations of your network to identify exposed and vulnerable services before attackers can exploit them.
3. Managed Security Services: We offer 24/7 monitoring and threat detection to identify and respond to exploitation attempts in real-time.
4. Secure Configuration Management: We implement security best practices such as network segmentation and access controls to minimize attack surfaces.
5. Incident Response Planning: We develop and maintain customized response plans to ensure quick mitigation in case of a security breach.

Discover more about our enterprise-grade and business protecting cybersecurity services on our Cybersecurity page.

Don’t wait until your systems are compromised. Contact CinchOps today to secure your file transfer infrastructure and protect your critical business data from evolving cyber threats.

FREE CYBERSECURITY ASSSESSMENT