🚨CVE-2025-2825 🚨: Remote and unauthenticated HTTP requests to CrushFTP may allow attackers to gain unauthorized access.
CrushFTP is a widely used enterprise-grade file transfer server, which recently has disclosed that its versions 10.0.0 through 10.8.3 and 11.0.0 through 11.3.0 have a critical authentication bypass flaw.
🔎 Performing some small #OSINT queries on #shodan, #hunter, #censys or even a Google dork intitle:"CrushFTP WebInterface" inurl:/WebInterface/Login.html you can identify thousands of possible vulnerable endpoints.
This type of attack can have an immediate impact via successful exploitation or can be chained to a more complex attack technique for a bigger impact on companies.
👇Query:
SHODAN: server: CrushFTP HTTP Server
Romania Filtered SHODAN: server: CrushFTP HTTP Server country:"RO"
🗂️Full reference:https://securityonline.info/crushftp-hacked-exploit-cve-2025-2825-with-poc-and-nuclei-template/… https://rapid7.com/blog/post/2025/03/25/etr-notable-vulnerabilities-in-next-js-cve-2025-29927/…
🧐Deep Dive on the whole PoC: https://projectdiscovery.io/blog/crushftp-authentication-bypass…
PoC Summary using nuclei template:
💡Solution: “Update to version 10.8.4+ or 11.3.1+ immediately.”