CVE-2025-2825 is a critical authentication bypass vulnerability affecting CrushFTP, a widely used secure file transfer server. The flaw allows remote attackers to bypass login authentication and gain administrative access by spoofing headers — tricking the server into thinking the request came from localhost.
- Severity: Critical
- CVSS Score: 9.8
- Attack Vector: Remote
- Affected Versions: CrushFTP < v10.6.0
- Fixed In: v10.6.0 and above
- Status: Under active exploitation in the wild
The vulnerability arises due to improper validation of the X-Forwarded-For
header. When this header is set to 127.0.0.1
, the server treats the request as local — bypassing authentication.
GET /WebInterface/login.html?command=validate&username=Admin&password=any HTTP/1.1
Host: target-ip
X-Forwarded-For: 127.0.0.1
📝 Replace
target-ip
with the actual IP address of the target CrushFTP server.
If successful, the server bypasses authentication and grants access — even with incorrect credentials.
- Python – scripting the exploit
- Burp Suite – intercepting and modifying HTTP headers
- Wireshark – packet capture and analysis
- Nmap – port scanning and service enumeration
- CrushFTP – vulnerable target instance
- GitHub – for publishing PoC and documentation
- Set up a vulnerable version of CrushFTP (v10.5 or earlier).
- Intercept the login request using Burp Suite.
- Modify the HTTP request header:
X-Forwarded-For: 127.0.0.1
- Forward the request.
- Admin access is granted without valid credentials.
- Upgrade to CrushFTP v10.6.0 or higher.
- Sanitize and validate headers like
X-Forwarded-For
. - Restrict admin access to localhost or behind a VPN/firewall.
- Monitor logs for suspicious access patterns.
Shivshant Patil
Certified Ethical Hacker (CEH v13)
B.Tech Computer Engineering Graduate
🔗 LinkedIn Profile
🔗 Github Profile