Home
Our Services
Free resources
- Privacy Research
  Free to use data privacy research
  Key Capabilities
  Latest privacy news tracking
  Product versions
  Latest privacy news tracking
  Track the latest news, breaches and fines
  Key features
  Tracks the latest breaches and fines
  View by industry
  View by breach method
  View by privacy topic
  Links to original articles
  Free to use
  
  Learn more »
  Latest Threat Intelligence
  Product versions
  Latest Threat Intelligence
  Track the Common Vulnerability Exposures (CVEs)
  Key features
  Tracks the latest vulnerabilities
  View by company
  View by breach method
  Links to NVD
  Free to use
  
  Learn more »
  Breach modelling and ROI calculator
  Product versions
  Breach modelling and ROI calculator
  Model what a breach would look like for you in your industry and use this to calculate your return on investment
  Key features
  Model your breach
  Assess the severity
  Compare by industry
  Breakdown costs
  Export to your business plan
  Free to use
  
  Learn more »
Privacy news
Company
- About Us
- FAQ
- Contact Us

CrushFTP auth bypass vulnerability Disclosure mess attacks

pContentsppOutpost24 analysts recently discovered a critical authentication bypass vulnerability in CrushFTP identified as CVE202531161 The vulnerability has a CVSSv31 score of CVSS31AVNACLPRNUINSUCHIHAH 98 We reached out to MITRE for a CVE on 13th March 2025 and were within an agreed 90day nondisclosure period with CrushFTP The plan was to give users plenty of time to patch before attackers were alerted to the vulnerability and able to exploit itppUnfortunately other parties have circulated news of the vulnerability under a separate CVE CVE20252825 without cooperating with Outpost24 and CrushFTP This means the vulnerability has not been disclosed in a secure manner as intended ppThe vulnerability is now being exploited by remote attackers who are using it to gain unauthenticated access to devices running unpatched versions of CrushFTP v10 or v11 There have been over 1500 vulnerable instances exposed online The threat is particularly concerning as file transfer products like CrushFTP are often targeted by ransomware gangs ppCrushFTP has released patches to address the issue and the recommended action is to immediately update to version 1084 or 1131 and later Please take immediate action to patch ASAP The bottom line of this vulnerability is that an exposed HTTPS port could lead to unauthenticated access CrushFTP warned in an email sent to customers on Friday March 21st when it released patches to address the security flaw If immediate patching isnt possible enabling the DMZ perimeter network option can serve as a workaround ppWell run through how the vulnerability works how our analysts found it and the timeline of events around the botched disclosure of this issue ppA race condition exists in the AWS4HMAC authorization method of the HTTP component of the FTP server The server first verifies the existence of the user by performing a call to loginuserpass with no password requirement This will authenticate the session through the HMAC verification process and up until the server checks for user verification once more ppThe vulnerability can be further stabilized eliminating the need for successfully triggering a race condition by sending a mangled AWS4HMAC header By providing only the username and a following slash the server will successfully find a username which triggers the successful anypass authentication process but the server will fail to find the expected SignedHeaders entry resulting in an indexoutofbounds error that stops the code from reaching the session cleanup ppTogether these issues make it trivial to authenticate as any known or guessable user eg crushadmin and can lead to a full compromise of the system by obtaining an administrative account ppOutpost24 didnt plan to share these details at this stage but we have decided to do so since the information has already been leaked Below are the stepbystep instructions to recreate the issueppUsers should immediately be patching to CrushFTP versions 1084 or 1131 and later There are already cases of this vulnerability being exploited in the wild by remote attackers If its not possible to immediately patch enabling the DMZ perimeter network option can serve as a workaround ppOutpost24s new CyberFlex solution offers continuous visibility and monitoring of your entire application attack surface complete with flexible consumptionbased budgeting options for a datadriven AppSec program Get a live demo ppCrushFTP is a file transfer server software designed to provide secure and efficient file sharing over the internet It supports a wide range of protocols including FTP SFTP FTPS HTTP HTTPS and WebDAV making it suitable for various use cases from simple file sharing to complex enterprise environments ppA vulnerability remote attackers can use to gain unauthenticated access to devices running unpatched versions of CrushFTP v10 or v11 ppThe vulnerability is now being exploited by remote attackers so users should immediately patch to 1084 or 1131 and later ppKristian is an experienced OffSec penetration tester and security researcher at Outpost24ppMarcus is an Outpost24 cybersecurity specialist based in the UK with 8 years experience in the tech and cyber sectors He writes about attack surface management application security threat intelligence and compliance p

Read the original article 2 Apr 2025

Key Capabilities

Latest privacy news tracking

Latest Threat Intelligence

Breach modelling and ROI calculator

CrushFTP auth bypass vulnerability Disclosure mess attacks