Thousands of CrushFTP servers are under active attack. Security researchers have identified a critical authentication bypass vulnerability that’s being exploited in the wild. The flaw, tracked as CVE-2025-2825 (and also CVE-2025-31161), affects unpatched CrushFTP versions 10 and 11. Bad news for anyone dragging their feet on updates.
The vulnerability exists in how CrushFTP handles HTTP Authorization headers during AWS4-HMAC-SHA256 authentication. It’s not exactly rocket science to exploit. Attackers are exploiting a race condition that lets them temporarily authenticate as any user – including administrators. Yep, even admins. The attack is stabilized by manipulating the Authorization header, giving persistent unauthorized access.
Over 1,500 vulnerable instances are currently exposed online. Let that sink in. Attackers are sending HTTP GET requests with crafted authorization headers, bypassing authentication entirely. The proof-of-concept exploit code is publicly available, which explains why attacks ramped up dramatically just a week after patches were released on March 21.
Over 1,500 CrushFTP servers lying exposed, ripe for exploitation with just a crafted HTTP request and publicly available code.
What makes this particularly dangerous? The vulnerability has a CVSS score of 9.8 – practically off the charts. Full remote control of file transfer servers is the prize for attackers. Small businesses, which often lack proper security measures, are especially vulnerable to these sophisticated zero trust architecture approaches that exploit authentication weaknesses. And many administrators use predictable usernames like “crushadmin.” Real creative, folks.
Shadowserver Foundation’s monitoring has confirmed exploitation attempts targeting these servers. Internet-facing CrushFTP instances with exposed HTTP(S) ports are sitting ducks. The malformed requests sent by attackers create stable unauthorized sessions with administrative privileges. Game over.
Organizations need to update to CrushFTP versions 10.8.4 or 11.3.1 immediately. The original disclosure process was disrupted when another party published prematurely, forcing earlier public awareness than intended. Can’t patch right away? Enable the DMZ perimeter network option as a temporary measure. But seriously, just update your software.
This isn’t CrushFTP’s first rodeo with serious vulnerabilities. Last year saw CVE-2024-4040 and CVE-2023-43177 – both exploited in the wild. The vulnerability was disclosed after VulnCheck released a CVE without responsible disclosure, which accelerated exploitation in the wild. File transfer products have become prime targets for ransomware groups like Clop. They’re practically window shopping for vulnerable servers.
Active exploitation began less than a week after disclosure. The clock is ticking for unpatched systems. With attackers already leveraging this flaw, every minute counts. Security teams should be monitoring logs yesterday.
