CrushFTP Vulnerability: Authentication Bypass and System Compromise Risks in March-April

In recent security news, a critical vulnerability has been discovered in CrushFTP, a widely used FTP server, affecting versions 10 prior to 10.8.4 and 11 before 11.3.1. This flaw enables attackers to bypass authentication and potentially take over the crushadmin account, potentially leading to a complete system compromise. Exploited in the wild in March and April of 2025, this vulnerability exposes servers to high risks unless proper countermeasures are put in place. Below, we examine the technical details, potential impacts, and the responses to the security flaw.

the CrushFTP Vulnerability

The vulnerability discovered in CrushFTP versions 10 and 11 revolves around an authentication bypass due to a race condition within the AWS4-HMAC authentication method, used in HTTP(S) port communications. This flaw is significant because it allows attackers to gain unauthorized access to the system, bypassing normal authentication procedures.

Exploitation Process: The flaw allows unauthorized users to authenticate without providing a password, thanks to a race condition in the login_user_pass() process.
Exploitation via Mangled Header: By manipulating the AWS4-HMAC headers—specifically, by sending a malformed header containing only a username and a slash—attackers can trigger a successful authentication process. This results in a failure to verify the expected signed headers, leading to an error that prevents session cleanup. This allows unauthorized users to access the server without detection.
Access and System Takeover: The vulnerability leads to an easily exploitable condition where attackers can log in as any known or guessable user, such as crushadmin. With administrative credentials, attackers can fully compromise the system, leading to a total security breach.
Criticality and CVSS Score: The vulnerability has been assigned a critical CVSS score of 9.8, indicating a severe risk to the affected systems. Given its high potential impact, it is crucial for users of CrushFTP versions 10.8.4 and 11.3.1 to apply patches immediately to avoid exploitation.
Impact and Risk: Exploiting this vulnerability could allow attackers to execute arbitrary code, steal sensitive data, or take full control of the affected servers, depending on the privileges of the compromised account.

What Undercode Say:

From a technical perspective, this vulnerability represents a significant flaw in how CrushFTP handles authentication, particularly through the AWS4-HMAC method, which is widely used for cloud-based file transfer services. The authentication process, initially designed to secure sensitive data transfers, is undermined by a race condition that effectively skips over critical verification steps. The ability to bypass password authentication and access the system as a high-privilege user poses a clear and present danger to enterprise environments.

This issue underscores the vulnerability of FTP servers, even well-established ones like CrushFTP, to seemingly simple but dangerous race conditions. While the flaw does not necessarily require deep technical knowledge to exploit—only the ability to manipulate HTTP headers—it still poses a major risk because of its potential for system-wide compromise.

The response from the security community has been swift, with advisories from major platforms like ProjectDiscovery, Huntress, and DarkReading. The quick public disclosure also indicates that security researchers are closely monitoring for further developments. The release of updated versions addressing the flaw is vital in mitigating the risk, and system administrators are urged to immediately apply patches to safeguard against unauthorized access.

The flaw’s exploitation, confirmed in the wild, is alarming. It signals that cybercriminals are continuously targeting and exploiting vulnerabilities in popular software, even if those vulnerabilities appear subtle or rare. Administrators who rely on CrushFTP for file management and transfer must treat this issue with the highest urgency, as administrative access gained by attackers could lead to data breaches, system corruption, or worse.

It is also worth noting that using a DMZ proxy can offer a protective layer, preventing exploitation. However, many environments lack such a setup, leaving them exposed. In such cases, applying the patch and updating the server to a safe version is non-negotiable.

Fact Checker Results:

Criticality Confirmed: Multiple sources, including Outpost24, have confirmed that the vulnerability is high-risk and currently exploited in the wild.
Patch Availability: Updates have been released, and system administrators are strongly advised to apply them immediately to prevent further breaches.
Common Attack Vector: The attack method, relying on HTTP(S) header manipulation, is well-documented, and protections against such attacks are available in newer server versions.