A severe authentication bypass vulnerability has been identified in CrushFTP, a popular multi-protocol file transfer server used by many organizations for secure data exchange. The vulnerability, designated as CVE-2025-2825, affects versions 10.0.0 through 10.8.3 and 11.0.0 through 11.3.0 and has received a critical CVSS score of 9.8.
The security flaw, discovered by the Outpost24 team, allows unauthorized attackers to gain complete access to CrushFTP servers without authentication. This vulnerability stems from a design flaw in how CrushFTP handles Amazon S3-compatible API authentication.
According to the ProjectDiscovery research team, the issue lies in the dual-purpose usage of a flag called "lookup_user_pass" within the authentication code.
This flag was originally intended to determine whether to look up a user's password or use a provided one. However, the same flag is also passed as an "anyPass" parameter to the login function, where it can completely bypass password verification.
"If anyPass is true, password verification is skipped entirely," states the ProjectDiscovery report, highlighting the critical nature of this implementation flaw.
CrushFTP addressed this vulnerability in version 11.3.1 by implementing several security measures, including a new parameter called "s3_auth_lookup_password_supported" set to false by default, and adding checks to block the vulnerable authentication path.
The timeline for this vulnerability shows rapid response from both the security community and the vendor. The National Vulnerability Database published details on March 26, 2025, with CrushFTP releasing patched versions 11.2.3 and 10.8.3 the same day. ProjectDiscovery published a Nuclei template to detect CVE-2025-2825 vulnerable instances on March 28.
This case underscores how parameter overloading in authentication systems can lead to critical security flaws. Organizations using CrushFTP should immediately upgrade to version 11.3.1 or later to protect their systems from unauthorized access.
ProjectDiscovery has made a detection template available through their Cloud platform to help organizations identify vulnerable installations, and they offer free monthly scans to detect this and other emerging threats.