BURSTA critical vulnerability (CVE-2025-2825) in CrushFTP, a widely used enterprise file transfer solution, allows attackers to bypass authentication and gain unauthorized server access.
The vulnerability, which affects versions 10.0.0 through 10.8.3 and 11.0.0 through 11.3.0, received a CVSS score of 9.8, categorizing it as critical due to its low complexity and severe potential impact.
The authentication bypass flaw exists in CrushFTP’s implementation of Amazon S3-compatible API access.
Bypass Authentication Vulnerability
The core issue involves parameter overloading in the authentication system, where a flag meant for password lookup (lookup_user_pass) was reused as an authentication bypass control (anyPass).
This implementation error allows attackers to circumvent password validation when accessing the server completely. Security researchers at ProjectDiscovery documented that exploiting this vulnerability requires minimal technical knowledge.
An attacker only needs to craft an HTTP request with an AWS S3-style authorization header containing a valid username and a specially formatted CrushAuth cookie.
A proof-of-concept exploit looks like this:
The exploit takes advantage of how CrushFTP processes the Authorization header. When a username without a tilde (~) character is provided, the lookup_user_pass flag defaults to true, which is then passed directly to the login_user_pass() function as the anyPass parameter.
When anyPass is true, the password verification is completely bypassed with this simple condition:
“This is a clear authentication bypass, the password check is skipped entirely,” explained researchers at ProjectDiscovery.
Fixes Available
CrushFTP addressed this vulnerability in version 11.3.1 by adding a new security parameter s3_auth_lookup_password_supported set to false by default and implementing proper security checks in the authentication flow.
CrushFTP organizations are strongly advised to upgrade immediately to version 11.3.1 or later. For those who cannot update immediately, enabling the DMZ feature of CrushFTP can provide some mitigation, though this should be considered a temporary solution.
The company has provided a straightforward update process through its dashboard, which takes approximately 5 minutes to complete. Offline update methods are also available for systems without direct internet access.
ProjectDiscovery has released a Nuclei template for detecting vulnerable CrushFTP instances, allowing organizations to identify at-risk servers across their infrastructure.
Security experts recommend implementing additional security measures to restrict server connections, such as strong authentication methods, regular security audits, and network-level access controls.
Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free
The post CrushFTP Vulnerability Exploited to Gain Full Server Access appeared first on Cyber Security News.