Frequently Asked Questions

CrushFTP Vulnerability (CVE-2025-2825 & Related)

What is CVE-2025-2825 and why is it critical?

CVE-2025-2825 is a critical authentication bypass vulnerability affecting CrushFTP, a popular enterprise file transfer solution. It allows remote, unauthenticated attackers to gain unauthorized access to vulnerable servers without requiring valid credentials. The vulnerability affects CrushFTP versions 10.0.0 through 10.8.3 and 11.0.0 through 11.3.0, and has a CVSS 3.1 score of 9.8 (Critical). Attackers are actively exploiting this flaw, making it a top-priority security concern. Source: NIST National Vulnerability Database

How does CVE-2025-2825 work?

The vulnerability is caused by improper authentication implementation in CrushFTP’s HTTP request handler. Specifically, the loginCheckHeaderAuth() mechanism mishandles AWS S3-style authentication headers. If a username without a tilde (~) character is provided, an internal flag (anyPass) is set, causing the server to bypass password validation entirely. This allows attackers to craft a special HTTP request and gain administrator privileges without credentials.

How easy is it to exploit CVE-2025-2825?

CVE-2025-2825 is trivially exploitable with minimal technical knowledge. Attackers only need network access to a vulnerable CrushFTP server’s HTTP/S interface. Multiple proof-of-concept exploits and automated scan tools are publicly available, making it accessible even to low-skilled attackers.

What are the risks and impacts of CVE-2025-2825?

The risks include confidentiality breaches (data exfiltration), integrity compromise (modification or deletion of files), and system availability threats (remote code execution, ransomware deployment, persistent backdoors, and lateral movement within networks). Active exploitation has been observed, with over 1,800 exposed CrushFTP instances worldwide and dozens of exploitation attempts reported. Source: SecurityWeek

How can I mitigate CVE-2025-2825?

Mitigation steps include:

For detailed guidance, see the CrushFTP Official Advisory and Help Net Security.

How do I know if my systems are impacted by CVE-2025-2825?

If you are running CrushFTP versions 10.0.0 through 10.8.3 or 11.0.0 through 11.3.0, your systems are vulnerable. IONIX customers can view updated information on their specific assets in the Threat Center of the IONIX portal, where exploit simulation models and asset impact assessments are available.

IONIX Product Features & Capabilities

What cybersecurity solutions does IONIX offer?

IONIX specializes in cybersecurity solutions focused on External Exposure Management and Attack Surface Management. The platform provides Attack Surface Discovery, Risk Assessment, Risk Prioritization, and Risk Remediation. It helps organizations discover all relevant assets, monitor changing attack surfaces, and reduce noise for more effective risk management. Learn more

How does IONIX help organizations manage vulnerabilities like CVE-2025-2825?

IONIX enables security teams to identify exposed assets and validate exploitable vulnerabilities from an attacker's perspective. The platform provides complete attack surface visibility, prioritizes critical remediation activities, and offers actionable insights to streamline security operations. Customers can monitor their assets for vulnerabilities such as CVE-2025-2825 in the IONIX Threat Center. IONIX Threat Center

What are the key features of the IONIX platform?

Key features include:

For more details, visit Why IONIX.

What integrations does IONIX support?

IONIX integrates with tools such as Jira, ServiceNow, Slack, Splunk, Microsoft Sentinel, Palo Alto Cortex/Demisto, AWS Control Tower, AWS PrivateLink, and pre-trained Amazon SageMaker Models. For a full list, visit IONIX Integrations.

Does IONIX offer an API for integrations?

Yes, IONIX provides an API that supports integrations with major platforms like Jira, ServiceNow, Splunk, Cortex XSOAR, and more. Details are available at IONIX Integrations.

Security, Compliance & Performance

What security and compliance certifications does IONIX have?

IONIX is SOC2 compliant and supports companies with NIS-2 and DORA compliance, ensuring robust security measures and regulatory alignment.

How is IONIX rated for product performance and innovation?

IONIX earned top ratings for product innovation, security, functionality, and usability. It was named a leader in the Innovation and Product categories of the ASM Leadership Compass for completeness of product vision and a customer-oriented, cutting-edge approach to ASM. Source

Use Cases, Pain Points & Customer Success

What problems does IONIX solve for organizations?

IONIX addresses key pain points including:

Who can benefit from using IONIX?

IONIX is designed for Information Security and Cybersecurity VPs, C-level executives, IT managers, and security managers across industries such as insurance, financial services, energy, critical infrastructure, IT/technology, and healthcare. It is tailored for organizations of all sizes, including Fortune 500 companies.

Can you share specific customer success stories with IONIX?

Yes. Notable success stories include:

What business impact can customers expect from using IONIX?

Customers can expect:

For more details, visit this page.

Implementation, Support & Training

How long does it take to implement IONIX and how easy is it to start?

Getting started with IONIX is simple and efficient. Initial deployment takes about a week and requires only one person to implement and scan the entire network. Customers have access to onboarding resources such as guides, tutorials, webinars, and a dedicated Technical Support Team. Learn more

What support and training does IONIX provide?

IONIX offers technical support and maintenance services during the subscription term, including troubleshooting, upgrades, and maintenance. Customers are assigned a dedicated account manager and benefit from regular review meetings. Onboarding resources include guides, tutorials, webinars, and access to a Technical Support Team. Support Details

Industry Recognition & Company Information

What industry recognition has IONIX received?

IONIX was named a leader in the 2025 KuppingerCole Attack Surface Management Leadership Compass and won the Winter 2023 Digital Innovator Award from Intellyx. The company has secured Series A funding to accelerate growth and expand platform capabilities. Source

Who are some of IONIX's customers?

IONIX's customers include Infosys, Warner Music Group, The Telegraph, E.ON, Grand Canyon Education, and a Fortune 500 Insurance Company. For more details, visit IONIX Customers.

Blog & Resources

Where can I find the IONIX blog and resources?

IONIX's blog provides articles and updates on cybersecurity, exposure management, and industry trends. Visit IONIX Blog for the latest insights. Technical documentation, guides, datasheets, and case studies are available at IONIX Resources.

Go back to All Blog posts

Exploited: Critical Unauthenticated Access Vulnerability in CrushFTP (CVE-2025-2825)

Amit Sheps
Amit Sheps Director of Product Marketing LinkedIn
April 2, 2025
Exploited! Alert announcing a critical unauthenticated access vulnerability (CVE-2025-2825) in CrushFTP.

In the ever-evolving landscape of web application vulnerabilities, a new critical flaw has emerged. CVE-2025-2825 is a high-severity vulnerability that allows attackers to bypass authentication on CrushFTP servers. This popular enterprise file transfer solution is often used in corporate environments to manage sensitive data, making this vulnerability particularly concerning. Attackers are actively exploiting this flaw in the wild, making it a top-priority security concern for administrators to address quickly.

What is CVE-2025-2825?

CVE-2025-2825 is a critical authentication bypass vulnerability affecting CrushFTP, a popular enterprise file transfer solution. This high-severity flaw allows remote, unauthenticated attackers to gain unauthorized access to vulnerable CrushFTP servers without requiring valid credentials – effectively an authentication bypass. The vulnerability affects CrushFTP versions 10.0.0 through 10.8.3 and 11.0.0 through 11.3.0.

The vulnerability has been assigned a CVSS 3.1 score of 9.8 (Critical) due to its network attack vector (no privileges or user interaction needed) and the potential for full system compromise. It was originally discovered by researchers at Outpost24 and patched on March 21, 2025.

At the core of this vulnerability is an improper authentication implementation (CWE-287) in CrushFTP’s HTTP request handler. The issue specifically resides in the loginCheckHeaderAuth() mechanism, which improperly handles AWS S3-style authentication headers. When a specific condition is triggered, the server allows authentication to succeed without validating the password at all.

The root cause was traced to a logic error where an internal flag called anyPass is set when a username without a tilde (~) character is provided in the authentication header. When this flag is active, the server bypasses the password check completely, as shown in this simplified vulnerable code:

// Vulnerable code from CrushFTP's authentication handler

if (anyPass && user.getProperty("enabled", "").equals("true")) {

    return user; // Returns user without password validation

}

// Normal password check (skipped if anyPass is true)

if (!password.equals(user.getProperty("password"))) {

    return null; // Authentication should fail here

}

This critical flaw means that an attacker can craft a special HTTP request that completely bypasses authentication, gaining the same access privileges as a legitimate administrator.

Exploiting the Vulnerability

CVE-2025-2825 is trivially exploitable with minimal technical knowledge. An attacker only needs network access to a vulnerable CrushFTP server’s HTTP/S interface – no credentials required. The exploit involves:

  1. Crafting a malicious HTTP request with a fake AWS S3 Authorization header and a specially formatted CrushAuth cookie
  2. Targeting known default usernames like “crushadmin” (without including a tilde character)
  3. Submitting the request to the CrushFTP Web Interface

Here’s an example of how attackers are exploiting this vulnerability in the wild:

GET /WebInterface/function/?command=getUserList&c2f=1111 HTTP/1.1

Host: victim-server:8080

Cookie: CrushAuth=1743113839553_vD96EZ70ONL6xAd1DAJhXMZYMn1111

Authorization: AWS4-HMAC-SHA256 Credential=crushadmin/

In this request:

  • The Authorization header uses an AWS4-HMAC-SHA256 scheme with the credential set to “crushadmin” (the default admin username)
  • The CrushAuth cookie is a dummy session token that matches the format expected by the server
  • The c2f parameter in the URL matches the suffix of the CrushAuth cookie

When this request is processed, the server sets the anyPass flag to true because the username (crushadmin) contains no tilde character. This causes the authentication logic to accept any password (or no password at all), effectively bypassing the authentication system entirely.

The server responds with a successful HTTP 200 status code and returns the requested information (in this case, a list of user accounts). At this point, the attacker has the same privileges as an administrator and can access sensitive files, upload malicious content, create backdoor accounts, or execute other administrative functions.

Multiple security firms have published proof-of-concept (PoC) exploits and automated scan tools for this vulnerability, including Nuclei templates that can detect vulnerable servers. This widespread availability of exploitation tools means that even low-skilled attackers can easily target vulnerable systems.

Potential Risks

The impact of CVE-2025-2825 is severe, with significant security implications across the confidentiality, integrity, and availability (CIA) triad:

  1. Confidentiality Breach
    • Attackers can access and exfiltrate sensitive data stored on the CrushFTP server
    • May include confidential files, intellectual property, or customer information
    • Any files managed by the server are potentially exposed
  2. Integrity Compromise
    • Malicious actors can modify, delete, or replace legitimate files
    • Possibility of injecting malware into downloadable content
    • Alteration of configuration files or server settings
  3. System Availability and Complete Compromise
    • Attackers can upload malicious scripts leading to remote code execution
    • Potential for ransomware deployment across all accessible files
    • Installation of persistent backdoors for continued access
    • Lateral movement to other internal systems on the same network

The real-world threat landscape makes this vulnerability particularly concerning:

  • Active Exploitation in the Wild: Within days of disclosure, security researchers observed widespread scanning and exploitation attempts. The Shadowserver Foundation identified approximately 1,800 exposed CrushFTP instances worldwide (over 900 in the U.S.) and reported dozens of exploitation attempts against their honeypots.
  • Attractive Target for Threat Actors: File transfer systems like CrushFTP are prime targets for cybercriminals, especially ransomware gangs and data extortion groups. Attackers have a documented history of leveraging vulnerabilities in file-sharing solutions (such as MOVEit Transfer and Citrix ShareFile) to orchestrate large-scale breaches.

Given the critical CVSS score (9.8), ease of exploitation, and confirmed attack activity, any internet-facing CrushFTP server running an affected version represents an immediate and severe security risk that requires urgent remediation.

Mitigation Steps

To protect your systems from CVE-2025-2825, immediate action is required. Here are the recommended mitigation strategies:

1. Update CrushFTP Immediately

The most effective remediation is to update your CrushFTP installation to a patched version:

  • For CrushFTP 11.x users: Upgrade to version 11.3.1 or later
  • For CrushFTP 10.x users: Upgrade to version 10.8.4 or later
# Example steps for updating CrushFTP (general process)

# 1. Download the latest version from the CrushFTP website

# 2. Stop your CrushFTP service

systemctl stop crushftp  # or equivalent command for your system

# 3. Backup your existing installation

cp -r /path/to/crushftp /path/to/crushftp_backup

# 4. Extract and replace the CrushFTP files

# 5. Restart the service

systemctl start crushftp  # or equivalent command for your system

# 6. Verify the version after update from admin interface or logs

For CrushFTP v11.2.3_19 or higher, you can enable the auto-update feature by setting daily_check_and_auto_update_on_idle in the prefs.XML file to fetch patches automatically in the future.

2. Implement Network Protections (If Patching Is Delayed)

If immediate patching is not possible, implement temporary measures to reduce your attack surface:

Enable CrushFTP’s DMZ Proxy Mode: The vendor has confirmed that the CVE-2025-2825 exploit does not work when the CrushFTP DMZ proxy is properly configured. In this mode, an external proxy instance handles internet traffic and communicates securely with the internal server.

<!– Example configuration in prefs.XML to enable DMZ mode –>

<item name=”dmz_mode”>true</item>

<item name=”dmz_server_key”>your_secure_key_here</item>

<item name=”dmz_remote_server”>internal_server_address</item>

Restrict Network Access via Firewall/WAF: Use firewall rules or cloud security groups to limit incoming traffic to the CrushFTP HTTP/S ports (typically 8080 or 443) to only trusted IP addresses:

# Example iptables rules to restrict access to CrushFTP ports

iptables -A INPUT -p tcp --dport 8080 -s 192.168.1.0/24 -j ACCEPT  # Allow internal network

iptables -A INPUT -p tcp --dport 8080 -j DROP  # Block all other access

# Example WAF rule to block suspicious authorization headers

SecRule REQUEST_HEADERS:Authorization "@contains AWS4-HMAC-SHA256" \

    "id:1000001,phase:1,deny,status:403,msg:'Potential CrushFTP CVE-2025-2825 exploit attempt'"

Require VPN access for remote users to prevent direct exposure to the internet.

3. Monitor and Harden

Whether you’ve patched or not, ensure the threat is detected and mitigated:

Check for Indicators of Compromise: Review your CrushFTP server logs for signs of unauthorized access, particularly focusing on default accounts:

# Example log entries that might indicate exploitation

2025-03-25 12:34:56 – [LOGIN] Login successful for user ‘crushadmin’ from IP 203.0.113.37

2025-03-26 08:12:34 – [USER] New user ‘backdoor_admin’ created by ‘crushadmin’

Look for unusual activities, such as account creation, permission changes, or file operations from unexpected sources.

Secure Default Credentials: Change default passwords and consider renaming or disabling default accounts when possible:

# In CrushFTP admin interface:

1. Navigate to Users > crushadmin

2. Set a strong, unique password (20+ characters with mixed case, numbers, and symbols)

3. Consider renaming the default admin account

4. Enable two-factor authentication if available

Apply Least Privilege Principle: Review your CrushFTP user permissions and server access rights:

# Example configuration to restrict user capabilities

<user name="standard_user">

  <item name="admin">false</item>

  <item name="view_log">false</item>

  <item name="root_dir">/limited/access/path</item>

  <!-- Additional restrictions -->

</user>

Isolate the CrushFTP server from critical systems and limit its access to only necessary resources.

Use Security Tools for Detection: Implement vulnerability scanning to identify unpatched instances. Community-provided detection tools, such as the Nuclei template for CVE-2025-2825, can help locate vulnerable servers:

# Example Nuclei template snippet for detecting CVE-2025-2825

id: crushftp-auth-bypass

info:

  name: CrushFTP Authentication Bypass

  author: security-researcher

  severity: critical

  description: Detects CrushFTP servers vulnerable to CVE-2025-2825 authentication bypass

requests:

  - method: GET

    path:

      - "{{BaseURL}}/WebInterface/function/?command=getUserList&c2f=1111"

    headers:

      Cookie: "CrushAuth=1743113839553_vD96EZ70ONL6xAd1DAJhXMZYMn1111"

      Authorization: "AWS4-HMAC-SHA256 Credential=crushadmin/"

By implementing these mitigation strategies promptly, you can protect your systems from this critical vulnerability and minimize the risk of compromise.

Am I Impacted by CVE-2025-2825?

IONIX is actively tracking this vulnerability. Our security research team has developed a full exploit simulation model based on known exploits. This allows us to assess which customers have impacted assets. IONIX customers can view updated information on their specific assets in the threat center of the IONIX portal.

IONIX customers will see updated information on their specific assets in the threat center of the IONIX portal.

References

  1. National Vulnerability Database: CVE-2025-2825 – NIST National Vulnerability Database entry for CrushFTP Unauthenticated Access Vulnerability
  2. CrushFTP Official Advisory: Update Notice – Vendor security advisory on Unauthenticated HTTP(S) Port Access on CrushFTP v10/v11
  3. ProjectDiscovery Research: CrushFTP Authentication Bypass – Technical deep dive and proof-of-concept exploit details
  4. Help Net Security: Patch critical vulnerability ASAP! – Vulnerability overview and mitigation guidance
  5. SecurityWeek: Hackers Exploiting CrushFTP Vulnerability – Threat landscape analysis including exploitation attempts and affected asset count

WATCH A SHORT IONIX DEMO

See how easy it is to implement a CTEM program with IONIX. Find and fix exploits fast.

THE LATEST FROM IONIX

Billy Hoffman
October 9, 2025
Exposed, Misconfigured and Forgotten: The Triple Threat of External Risk (and how to fix with Cloudflare and IONIX) 
Learn more
Tal Zamir
September 26, 2025
CVE-2025-20333: Authenticated RCE in Cisco ASA / FTD VPN Web Server
Learn more
Itay Paz Slavin
September 22, 2025
Exposed AI Agents in the Wild: How a Public MCP Server Let Us Peek Inside Its Host
Learn more