Enterprise file transfer solutions are critical infrastructure for many organizations, facilitating secure data exchange between systems and users. CrushFTP, a widely used multi-protocol file transfer server, offers an extensive feature set including Amazon S3-compatible API access. However, a critical vulnerability (CVE-2025-2825) was discovered in versions 10.0.0 through 10.8.3 and 11.0.0 through 11.3.0 that allows unauthenticated attackers to bypass authentication and gain unauthorized access.

This vulnerability, originally discovered and reported by the Outpost24 team to CrustFTP, received a CVSS score of 9.8 (Critical) due to its low complexity, network-based attack vector, and potential impact. In this research, we explore how seemingly minor implementation details in authentication mechanisms—particularly the reuse of authentication flags for multiple purposes—can lead to severe security implications.

Understanding CrushFTP and S3 Authentication

CrushFTP supports multiple protocols including FTP, SFTP, WebDAV, and HTTP/S, making it a versatile file transfer solution. As of version 10, it also implements S3-compatible API access, allowing clients to interact with it using the same API format used for Amazon S3 storage services.

S3 authentication typically uses a request signing mechanism where clients include an Authorization header with a format similar to:

The server extracts the AccessKey value from the Credential field to identify the user, then verifies the Signature to ensure the request is authentic. CrushFTP's implementation of this mechanism contained a critical flaw that we'll examine in detail.

Vulnerability Deep Dive

The vulnerability exists in the loginCheckHeaderAuth() method of ServerSessionHTTP.java, which processes HTTP requests with S3-style authorization headers. Let's examine the key parts of this vulnerable code:

The critical issue is with the lookup_user_pass flag. This flag has dual purposes:

This parameter overloading creates the vulnerability - especially because by default, lookup_user_pass is set to true when processing S3 authentication headers if the username doesn't contain a tilde character (~).

Header Parsing and Username Extraction

Below is a concise analysis of how CrushFTP parses the Authorization header using our exploit example:

The parsing happens in sequential string operations:

The header works effectively because:

This simple parsing makes exploitation straightforward, as attackers need only create a header with a valid username followed by a slash character.

Tracing the Authentication Flow

To fully understand this vulnerability, we need to follow the authentication flow through multiple method calls, tracing how the lookup_user_pass flag ultimately leads to authentication bypass.

Step 1: loginCheckHeaderAuth() Method

The authentication process begins in the loginCheckHeaderAuth() method, which is triggered when an HTTP request with an S3 authorization header is received:

Step 2: login_user_pass() Method

The login_user_pass() method in SessionCrush.java takes lookup_user_pass as its first parameter, named anyPass:

Step 3: verify_user() Method in SessionCrush

In the verify_user() method (also in SessionCrush.java), the anyPass parameter is passed further down to the actual user verification function:

Step 4: UserTools.ut.verify_user() Method

The final step is in the verify_user() method of UserTools.java, where the anyPass parameter determines whether password verification is required:

The most critical part of this chain is in UserTools.java. When anyPass is true (which happens by default for S3 authorization headers without a tilde in the username), password verification is completely bypassed with this simple condition:

This is a clear authentication bypass, the password check is skipped entirely.

Proof of Concept

Exploiting this vulnerability is straightforward. An attacker only needs to craft an HTTP request with:

Here's the exploit:

Breaking down this exploit:

We can verify the exploitation by examining the system's response - a successful response indicates the vulnerability has been successfully exploited. The attacker can then access files, upload malicious content, create admin users, Basically gain complete access to the server.

Understanding the Fix

CrushFTP addressed this vulnerability in version 11.3.1 through several key changes:

These changes effectively address the vulnerability by ensuring proper password validation occurs even when processing S3 authentication headers. The fix separates the concerns of password lookup from authentication bypass, correctly implementing the intended logic.

Nuclei Template for Detection

We've created a Nuclei template to easily identify vulnerable CrushFTP instances:

This template attempts to access the user list API via the authentication bypass. A successful exploit returns an HTTP 200 response with all users present in the CrushFTP server. We noticed certain server configurations require two requests to trigger this vulnerability; therefore, the template sends two requests.

Nuclei Templates Lab - CVE-2025-2825

We have recently launched our Nuclei Templates Lab, a dedicated environment designed for hands-on practice with the latest CVEs. We've included a lab specifically for CVE-2025-2825, allowing you to explore and understand this vulnerability in a controlled setting. You can access the lab for this CVE here.

Timeline for CVE-2025-2825:

Conclusion

CVE-2025-2825 demonstrates how parameter overloading in authentication systems can lead to critical vulnerabilities. This case shows that reusing a flag meant for password lookup as an authentication bypass control creates a severe security flaw.

For developers, this underscores the importance of maintaining clear separation of concerns in security-critical code. When implementing multi-protocol authentication systems, consistent validation across all paths is essential.

If you're running CrushFTP, upgrade to version 11.3.1+ immediately or implement network-level access controls to restrict server connections.

This nuclei template is now part of the ProjectDiscovery Cloud platform, so you can automatically detect this vulnerability across your infrastructure. We also offer free monthly scans to help you detect emerging threats, covering all major vulnerabilities on an ongoing basis, plus a complete 30-day trial available to business email addresses.