All posts

Dissecting CVE-2025-2825: A Critical Authentication Bypass in CrushFTP

By   ·  2 minute read

Enterprise file transfer solutions form the backbone of secure data exchange for countless organizations. When vulnerabilities emerge in these systems, the potential impact can be severe. Recently, a critical authentication bypass vulnerability in CrushFTP (CVE-2025-2825) has demonstrated how seemingly minor implementation details can lead to catastrophic security failures.

crushftp

 

The Vulnerability Overview

CrushFTP, a versatile multi-protocol file transfer server supporting FTP, SFTP, WebDAV, HTTP/S, and Amazon S3-compatible API access, contained a critical flaw in versions 10.0.0 through 10.8.3 and 11.0.0 through 11.3.0. This vulnerability received a CVSS score of 9.8 (Critical) due to its low complexity, network-based attack vector, and potential for complete system compromise.

Technical Root Cause Analysis

The vulnerability stems from a fundamental flaw in the authentication mechanism, specifically in how CrushFTP handles Amazon S3-compatible API requests. The issue lies in the loginCheckHeaderAuth() method of ServerSessionHTTP.java, which processes HTTP requests with S3-style authorization headers.

Let's break down the vulnerability chain:

  1. Parameter Overloading: A boolean flag called lookup_user_pass serves dual purposes:
       - Originally intended to determine whether to look up a user's password from storage
       - Also used as the anyPass parameter in authentication methods
  2. Default Value Issue: When processing S3 authentication headers, lookup_user_pass defaults to true if the username doesn't contain a tilde character (~).
  3. Authentication Bypass: When this flag propagates through the authentication chain as anyPass, the code in UserTools.java completely bypasses password verification with this problematic condition:
     

    if (anyPass && user.getProperty("username").equalsIgnoreCase(the_user)) {

       return user;  // Authentication succeeds without any password check

    }

    This creates a trivial authentication bypass where an attacker only needs to know a valid username.

 

Exploitation Simplified

Exploiting this vulnerability requires minimal effort. An attacker needs only to craft an HTTP request with:
  1. A simplified AWS S3-style authorization header: Authorization: AWS4-HMAC-SHA256 Credential=username/
  2. A CrushAuth cookie following a specific format (doesn't need to be valid)
  3. A matching parameter in the URL

For example:

GET /WebInterface/function/?command=getUserList&c2f=1111 HTTP/1.1
 Host: target-server:8081
 Cookie: CrushAuth=1743113839553_vD96EZ70ONL6xAd1DAJhXMZYMn1111
 Authorization: AWS4-HMAC-SHA256 Credential=crushadmin/

The exploit works because:

  • The username crushadmin has no tilde, so lookup_user_pass defaults to true
  • This causes the anyPass parameter to be true, bypassing password validation
  • The cookie format satisfies the parser's requirements without being authentic
A successful exploitation grants the attacker complete administrative access, allowing them to access files, upload malicious content, create users, and effectively take full control of the server.
 

The Fix: Separating Security Concerns

CrushFTP addressed this vulnerability in version 11.3.1 through several key changes:

  1. Adding a new security parameter s3_auth_lookup_password_supported (defaulting to false)
  2. Implementing an early security check to block the vulnerable flow when lookup_user_pass would be true
  3. Restructuring the authentication flow to properly implement the intended behavior

The fix effectively separates the concerns of password lookup from authentication bypass, ensuring proper password validation occurs even when processing S3 authentication headers.

 

Detection and Remediation

For organizations using CrushFTP, immediate remediation is critical:

  1. Upgrade Immediately: Update to CrushFTP version 11.3.1 or later
  2. Implement Network Controls: If immediate upgrading isn't possible, restrict access to CrushFTP servers
  3. Monitor for Exploitation: Review logs for suspicious authentication patterns
  4. Run Vulnerability Scans: Use dedicated tools to identify vulnerable instances

 

Security Lessons Learned

This vulnerability highlights several important security principles:

  1. Separation of Concerns: Security-critical flags should have single, well-defined purposes
  2. Defense in Depth: Authentication should involve multiple validation layers
  3. Parameter Validation: All inputs, especially those affecting authentication, require strict validation
  4. Secure by Default: Security-critical systems should fail closed, not open
 

Conclusion

CVE-2025-2825 provides a clear example of how seemingly minor implementation decisions can lead to devastating security consequences. The vulnerability underscores the critical importance of careful security architecture, especially in authentication systems that protect sensitive enterprise data.

For developers, this case study reinforces the need to maintain strict separation of concerns in security-critical code. When implementing multi-protocol authentication systems, consistent validation across all paths is essential.

Organizations using file transfer solutions should view this vulnerability as a reminder to maintain rigorous patch management practices and implement defense-in-depth security controls to protect critical infrastructure components.