CrushFTP: New CVE entry and details of attacked vulnerability
CrushFTP has created a new CVE entry for the already attacked vulnerability. It now also contains details.
(Image: Erstellt mit KI in Bing Creator von heise online / dmk)
Attacks on a vulnerability in the CrushFTP data transfer software have been known on the Internet since last week. The initial vulnerability description remained extremely superficial and only mentioned a possible “authentication bypass”. CrushFTP has now issued its own, more complete vulnerability report.
CrushFTP writes on its website: “CVE-2025-0282 appears to be a CVE copy that was automatically issued by an unrelated company”. Meanwhile, CrushFTP has also acknowledged the public exploit of the vulnerability there.
CrushFTP: Vulnerability description with more content
The description of the vulnerability in the new CVE entry is much more detailed. “CrushFTP before version 10.8.4 and 11.3.1 allows authentication bypass and takeover of the 'crushadmin' account (unless a DMZ proxy instance is used) as abused in the wild in March and April 2025, also known as 'unauthenticated HTTP(s) port access',” the note introduces. “A race condition affects the AWS4 HMAC (compatible with S3) authorization method of the HTTP component of the FTP server. First, the server checks the existence of a user by calling login_user_pass() without requiring a password. This authenticates the session through the HMAC verification process until the server checks the user verification again. The vulnerability can be exploited more robustly without having to successfully win a race condition by sending a garbled AWS4 HMAC header.”
Videos by heise
The authors further explain: “By simply specifying a username followed by a slash ('/'), the server finds a username, which triggers the 'successfully authenticated' process. The server then fails to find the expected 'SignedHeaders' entry, resulting in an 'index-out-of-bounds' error, which prevents the code from reaching the session cleanup routines. Together, this leads to a trivial ability to log in as any known or guessable user such as 'crushadmin', which can lead to a complete compromise of the system by gaining administrative access” (CVE-2025-31161, CVSS 9.8, risk “critical”).
The US IT security authority CISA also immediately added the new CVE entry to the database of known exploited vulnerabilities. IT managers should install the updated software versions immediately if they have not already done so. “CrushFTP instances should display a notification of a new version within one day, unless access to the update servers has been blocked,” the authors write on the CrushFTP website.
(dmk)
