CVE-2025-2825: CrushFTP Unauthenticated Access Vulnerability

Executive Summary

CVE-2025-2825 is a critical vulnerability affecting CrushFTP versions 10.0.0 through 10.8.3 and 11.0.0 through 11.3.0. This vulnerability allows unauthenticated remote attackers to bypass authentication and gain unauthorized access to the CrushFTP server. The root cause lies in improper authentication handling, specifically related to S3 authentication and parameter overloading. Successful exploitation can lead to complete compromise of the affected system, including access to sensitive data, modification of files, and disruption of services. The vulnerability has a CVSS score of 9.8, indicating its critical severity.

Technical Details

Affected Systems:

• CrushFTP servers

Affected Software Versions:

• 10.0.0 <= version < 10.8.4
• 11.0.0 <= version < 11.3.1

Affected Components:

The vulnerability resides within the authentication handling mechanisms of CrushFTP, specifically in the processing of HTTP requests and S3 authentication headers. The core issue is located in the login_user_pass() method and how it interacts with the lookup_user_pass flag.

Vulnerability Impact:

Successful exploitation of CVE-2025-2825 allows an unauthenticated attacker to gain unauthorized access to the CrushFTP server. This can lead to:

• Confidentiality Breach: Access to sensitive files and data stored on the server.
• Integrity Violation: Modification or deletion of files, potentially leading to data corruption or service disruption.
• Availability Impact: Complete compromise of the server, potentially leading to denial of service.

Root Cause Analysis

The root cause of CVE-2025-2825 stems from a combination of parameter overloading and improper handling of S3 authentication headers. The lookup_user_pass flag, intended to indicate whether to look up a user's password, is also used as the anyPass parameter in the login_user_pass() method. This dual usage creates a vulnerability when processing S3 authentication headers.

Specifically, when an HTTP request with an AWS S3-style authorization header is received, the code checks for a tilde (~) character in the username. If the username does not contain a tilde, the lookup_user_pass flag defaults to true. This bypasses the intended password validation process within the login_user_pass() method, effectively granting access without proper authentication.

Here's a simplified representation of the vulnerable code logic:

public boolean login_user_pass(String username, String password, boolean lookup_user_pass) {
    boolean authenticated = false;

    if (lookup_user_pass) {
        // Vulnerable code path: Password validation is skipped
        // Access is granted based on username alone
        authenticated = true; // Authentication bypass
    } else {
        // Normal authentication path: Password validation is performed
        User user = getUser(username);
        if (user != null && user.checkPassword(password)) {
            authenticated = true;
        }
    }

    return authenticated;
}

public boolean handleS3Authentication(HttpServletRequest request, String username) {
    boolean lookup_user_pass = false; // Default value

    if (!username.contains("~")) {
        lookup_user_pass = true; // Vulnerable condition
    }

    String password = ""; // Password is not validated in this path
    return login_user_pass(username, password, lookup_user_pass);
}

Exploit Scenario:

An attacker can exploit this vulnerability by crafting an HTTP request with an AWS S3-style authorization header. The request must include a valid username (without a tilde) and a specific format CrushAuth cookie. The absence of the tilde in the username triggers the vulnerable code path, bypassing password validation and granting unauthorized access.

Example HTTP Request:

GET /WebInterface/ HTTP/1.1
Host: vulnerable-crushftp-server.com
Authorization: AWS AKIAIOSFODNN7EXAMPLE:wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
Date: Thu, 05 Jan 2025 23:59:59 GMT
Cookie: CrushAuth=user:admin;

In this example, the Authorization header mimics an AWS S3 authentication header. The Cookie header includes a CrushAuth cookie with a valid username (e.g., "admin"). Because the username "admin" does not contain a tilde (~), the lookup_user_pass flag is set to true, bypassing password validation.

Code Example of the Fix:

The fix implemented in version 11.3.1 involves the addition of a new security parameter s3_auth_lookup_password_supported (set to false by default) and a security check to block the vulnerable path when lookup_user_pass is true.

public boolean login_user_pass(String username, String password, boolean lookup_user_pass, boolean s3_auth_lookup_password_supported) {
    boolean authenticated = false;

    if (lookup_user_pass && !s3_auth_lookup_password_supported) {
        // Vulnerable code path is now blocked
        // Authentication is denied
        authenticated = false; // Authentication blocked
    } else if (lookup_user_pass) {
        // Password validation is skipped only if s3_auth_lookup_password_supported is true
        // Access is granted based on username alone
        authenticated = true;
    } else {
        // Normal authentication path: Password validation is performed
        User user = getUser(username);
        if (user != null && user.checkPassword(password)) {
            authenticated = true;
        }
    }

    return authenticated;
}

public boolean handleS3Authentication(HttpServletRequest request, String username, boolean s3_auth_lookup_password_supported) {
    boolean lookup_user_pass = false; // Default value

    if (!username.contains("~")) {
        lookup_user_pass = true; // Vulnerable condition
    }

    String password = ""; // Password is not validated in this path
    return login_user_pass(username, password, lookup_user_pass, s3_auth_lookup_password_supported);
}

This fix ensures that the vulnerable code path is blocked by default, preventing unauthenticated access via S3 authentication headers.

Mitigation Strategies

To mitigate the risk posed by CVE-2025-2825, the following strategies are recommended:

1. Upgrade to the Latest Version: The most effective mitigation is to upgrade CrushFTP to version 10.8.4 or 11.3.1 or later. These versions contain the necessary patches to address the vulnerability.

2. DMZ Feature: The vulnerability is mitigated if the DMZ feature of CrushFTP is in place. This feature isolates the CrushFTP server from the internal network, reducing the potential impact of a successful exploit.

3. Disable S3 Authentication (If Not Used): If S3 authentication is not required, disable it to eliminate the vulnerable code path. This can be done through the CrushFTP server configuration.

4. Network Segmentation: Implement network segmentation to limit the potential impact of a successful exploit. This involves isolating the CrushFTP server from other critical systems on the network.

5. Web Application Firewall (WAF): Deploy a Web Application Firewall (WAF) to detect and block malicious requests targeting the vulnerability. The WAF can be configured with rules to identify and block requests with suspicious S3 authentication headers.

Configuration Changes:

• Upgrade CrushFTP: Follow the official CrushFTP upgrade instructions to ensure a smooth and secure upgrade process.
• DMZ Configuration: Configure the DMZ feature according to the CrushFTP documentation.
• S3 Authentication Settings: Review and modify the S3 authentication settings within the CrushFTP server configuration.

Security Best Practices:

• Regular Security Audits: Conduct regular security audits to identify and address potential vulnerabilities.
• Penetration Testing: Perform penetration testing to simulate real-world attacks and assess the effectiveness of security controls.
• Principle of Least Privilege: Apply the principle of least privilege to limit user access to only the resources they need.
• Strong Password Policies: Enforce strong password policies to prevent unauthorized access.
• Multi-Factor Authentication (MFA): Implement multi-factor authentication (MFA) for all user accounts to add an extra layer of security.

Alternative Solutions:

If upgrading or implementing the recommended mitigations is not immediately feasible, consider the following alternative solutions:

• Monitor Network Traffic: Monitor network traffic for suspicious activity targeting the CrushFTP server.
• Restrict Access: Restrict access to the CrushFTP server to only authorized users and IP addresses.

Timeline of Discovery and Disclosure

• Vulnerability Discovered: The exact date of the initial discovery is not publicly available.
• Vendor Reported: The vulnerability was reported to CrushFTP.
• Patch Released: CrushFTP released patched versions (10.8.4 and 11.3.1) to address the vulnerability.
• Public Disclosure: The vulnerability was publicly disclosed on March 26, 2025.

References

• NVD: CVE-2025-2825 (https://nvd.nist.gov/vuln/detail/CVE-2025-2825)
• CrushFTP Advisory: https://www.crushftp.com/crush11wiki/Wiki.jsp?page=Update
• Rapid7 Blog: https://www.rapid7.com/blog/post/2025/03/25/etr-notable-vulnerabilities-in-next-js-cve-2025-29927/
• RunZero Blog: https://www.runzero.com/blog/crushftp/
• ProjectDiscovery Blog: https://projectdiscovery.io/blog/crushftp-authentication-bypass
• Horizon3.ai: https://www.horizon3.ai/category/attack-research/
• Red Hat Customer Portal: https://access.redhat.com/security/cve/cve-2025-2825