{"id":2974,"date":"2025-04-01T10:04:15","date_gmt":"2025-04-01T10:04:15","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2025\/04\/01\/crushftp-vulnerability-exploited-in-attacks-following-poc-release\/"},"modified":"2025-04-01T10:04:15","modified_gmt":"2025-04-01T10:04:15","slug":"crushftp-vulnerability-exploited-in-attacks-following-poc-release","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2025\/04\/01\/crushftp-vulnerability-exploited-in-attacks-following-poc-release\/","title":{"rendered":"CrushFTP Vulnerability Exploited in Attacks Following PoC Release"},"content":{"rendered":"<p>    CrushFTP Vulnerability Exploited in Attacks Following PoC Release<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n    <!-- no image --><br \/>\n \t<BR><br \/>\n<BR><\/BR><\/p>\n<div>\n<p>Security researchers have confirmed active exploitation attempts targeting the critical authentication bypass vulnerability in CrushFTP (CVE-2025-2825) following the public release of <a href=\"https:\/\/cybersecuritynews.com\/crushftp-vulnerability-exploited\/\" target=\"_blank\" rel=\"noreferrer noopener\">proof-of-concept exploit code<\/a>.\u00a0<\/p>\n<p>Based on Shadowserver Foundation\u2019s most recent monitoring data, approximately 1,512 unpatched instances remain vulnerable globally as of March 30, 2025, with North America hosting the majority (891) of these exposed servers.<\/p>\n<p>The vulnerability, which carries a CVSS score of 9.8, affects CrushFTP versions 10.0.0 through 10.8.3 and 11.0.0 through 11.3.0.\u00a0<\/p>\n<p>First disclosed on March 26, 2025, it allows unauthenticated remote attackers to bypass <a href=\"https:\/\/cybersecuritynews.com\/authentication\/\" target=\"_blank\" rel=\"noreferrer noopener\">authentication<\/a> via a specially crafted HTTP request, potentially leading to complete system compromise.<\/p>\n<p>\u201cWe are observing CrushFTP CVE-2025-2825 exploitation attempts based on publicly available PoC exploit code,\u201d the Shadowserver Foundation announced in their recent advisory.\u00a0<\/p>\n<p>\u201cWe see ~1800 unpatched instances worldwide, with over 900 in the US.\u201d<\/p>\n<figure class=\"wp-block-embed is-type-rich is-provider-twitter wp-block-embed-twitter\">\n<div class=\"wp-block-embed__wrapper\">\n<blockquote class=\"twitter-tweet\" data-width=\"550\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">We are observing CrushFTP CVE-2025-2825 exploitation attempts based on publicly available PoC exploit code. You can track attempts on our Dashboard at <a href=\"https:\/\/t.co\/PNW2ZzS9Gy\">https:\/\/t.co\/PNW2ZzS9Gy<\/a><\/p>\n<p>Still 1512 unpatched instances vulnerable to CVE-2025-2825 seen on 2025-03-30<a href=\"https:\/\/t.co\/PNW2ZzS9Gy\">https:\/\/t.co\/PNW2ZzS9Gy<\/a> <a href=\"https:\/\/t.co\/w0CkIHWxk8\">https:\/\/t.co\/w0CkIHWxk8<\/a> <a href=\"https:\/\/t.co\/MCFnwsjmP0\">pic.twitter.com\/MCFnwsjmP0<\/a><\/p>\n<p>\u2014 The Shadowserver Foundation (@Shadowserver) <a href=\"https:\/\/twitter.com\/Shadowserver\/status\/1906753539499520064?ref_src=twsrc%5Etfw\">March 31, 2025<\/a>\n<\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script>\n<\/div>\n<\/figure>\n<h2 class=\"wp-block-heading\"><strong>Technical Details of the Exploit<\/strong><\/h2>\n<p>Security researchers at ProjectDiscovery published a detailed analysis revealing how attackers can exploit the vulnerability using a relatively simple three-step process:<\/p>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter\"><img decoding=\"async\" src=\"https:\/\/lh7-rt.googleusercontent.com\/docsz\/AD_4nXfJc311QcCE6sYviW2atEhSn3SMsfEuovPnr1DsXcFk77P-wiwPOd-b7bGE_QEXttTmhdHMa2WjG8kOO-EzVNu18q-OYrc3dd4Q5sqnHaqcgYqMOTBRywRu1T7OeG-PHEIBeFzreA?key=Gxw2iWKOsPWo8TA28r0GDaBQ\" alt=\"\"><\/figure>\n<\/div>\n<p>The attack leverages three critical components:<\/p>\n<ul class=\"wp-block-list\">\n<li>A spoofed AWS header that exploits CrushFTP\u2019s <a href=\"https:\/\/cybersecuritynews.com\/86000-healthcare-staff-records-exposed\/\" target=\"_blank\" rel=\"noreferrer noopener\">S3 protocol<\/a> handling with the default \u201ccrushadmin\u201d username<\/li>\n<li>A fabricated cookie with a specific 44-character CrushAuth value<\/li>\n<li>Parameter manipulation using the c2f parameter to bypass password verification checks<\/li>\n<\/ul>\n<p>The vulnerability stems from flawed authentication logic when processing S3-style requests, where the system incorrectly accepts the \u201ccrushadmin\/\u201d credential as valid without proper password verification.<\/p>\n<p>The latest data from Shadowserver\u2019s monitoring dashboard shows Europe hosting the second-largest number of vulnerable instances at 490, followed by Asia (62), Oceania (45), and both South America and Africa with 12 instances each.<\/p>\n<h2 class=\"wp-block-heading\"><strong>Mitigation Strategies<\/strong><\/h2>\n<p>CrushFTP <a href=\"https:\/\/cybersecuritynews.com\/crushftp-vulnerability-exploited\/\" target=\"_blank\" rel=\"noreferrer noopener\">released<\/a> version 11.3.1 with critical fixes that address the vulnerability by:<\/p>\n<ul class=\"wp-block-list\">\n<li>Disabling insecure S3 password lookup by default<\/li>\n<li>Adding a security parameter \u201cs3_auth_lookup_password_supported=false\u201d<\/li>\n<li>Implementing proper authentication flow checks<\/li>\n<\/ul>\n<p>Security experts recommend several immediate actions:<\/p>\n<ul class=\"wp-block-list\">\n<li>Upgrade to CrushFTP version 11.3.1+ or 10.8.4+ immediately<\/li>\n<li>Enable the DMZ feature as a temporary mitigation if immediate patching is not possible<\/li>\n<li>Use ProjectDiscovery\u2019s free detection tool: nuclei -t https:\/\/cloud.projectdiscovery.io\/public\/CVE-2025-2825<\/li>\n<li>Audit server logs for suspicious GET requests to \/WebInterface\/function\/<\/li>\n<\/ul>\n<p>This vulnerability follows previous security issues in CrushFTP, including CVE-2023-43177, which similarly allowed unauthenticated attackers to access files and <a href=\"https:\/\/cybersecuritynews.com\/cannon-printer-vulnerability-arbitrary-code\/\" target=\"_blank\" rel=\"noreferrer noopener\">execute arbitrary code<\/a>.\u00a0<\/p>\n<p>The recurring pattern of authentication vulnerabilities in file transfer solutions reflects a concerning trend, as attackers continue to target these critical infrastructure components as entry points into corporate networks. Organizations are urged to prioritize patching this vulnerability immediately.<\/p>\n<p class=\"has-text-align-center has-background\" style=\"background:linear-gradient(180deg,rgb(238,238,238) 89%,rgb(169,184,195) 100%)\"><strong><code><strong><code>Investigate Real-World Malicious Links &amp; Phishing Attacks With\u00a0<strong>Threat Intelligence Lookup<\/strong>\u00a0-\u00a0<a href=\"https:\/\/intelligence.any.run\/plans?utm_source=csn&amp;utm_medium=article&amp;utm_campaign=enrichment&amp;utm_content=plans&amp;utm_term=180325\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Try for Free<\/a><\/code><\/strong><\/code><\/strong><\/p>\n<p>The post <a href=\"https:\/\/cybersecuritynews.com\/crushftp-vulnerability-exploited-in-attacks\/\">CrushFTP Vulnerability Exploited in Attacks Following PoC Release<\/a> appeared first on <a href=\"https:\/\/cybersecuritynews.com\/\">Cyber Security News<\/a>.<\/p>\n<\/div>\n<p> \t<BR><br \/>\n <BR><\/BR><br \/>\n    Kaaviya<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n<a href=\"https:\/\/cybersecuritynews.com\/crushftp-vulnerability-exploited-in-attacks\/\">Go to cyber-security-news<\/a><br \/>\n \t<BR><br \/>\n <BR><\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"<p>CrushFTP Vulnerability Exploited in Attacks Following PoC Release Security researchers have confirmed active exploitation attempts targeting the critical authentication bypass vulnerability in CrushFTP (CVE-2025-2825) following the public release of proof-of-concept exploit code.\u00a0 Based on Shadowserver Foundation\u2019s most recent monitoring data, approximately 1,512 unpatched instances remain vulnerable globally as of March 30, 2025, with North America [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[677,129,63,131],"tags":[130],"class_list":["post-2974","post","type-post","status-publish","format-standard","hentry","category-cyber-attack-article","category-cyber-security","category-cyber-security-news","category-vulnerability","tag-cyber-security-news"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/2974"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=2974"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/2974\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=2974"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=2974"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=2974"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}