{
    "file_item": {
        "filepath": "security-advisories",
        "filename": "CERT-EU-SA2025-015.pdf"
    },
    "title": "Critical vulnerability in CrushFTP",
    "serial_number": "2025-015",
    "publish_date": "03-04-2025 14:55:47",
    "description": "In April 2025, information about an easy-to-exploit critical vulnerability affecting CrushFTP was made public. It is recommended updating affected server as soon as possible.<br>\nProof of concepts are available, and the vulnerability is being exploited in the wild.<br>\n",
    "url_title": "2025-015",
    "content_markdown": "---    \ntitle: 'Critical vulnerability in CrushFTP'\nnumber: '2025-015'\nversion: '1.0'\noriginal_date: '2025-04-03'\ndate: '2025-04-03'\n---\n\n_History:_\n\n* _03/04/2025 --- v1.0 -- Initial publication_\n\n# Summary \n\nIn April 2025, information about an easy-to-exploit critical vulnerability affecting CrushFTP was made public. It is recommended updating affected server as soon as possible [1,2].\n\nProof of concepts are available, and the vulnerability is being exploited in the wild.\n\n# Technical Details\n\nDue to failures in the vulnerability disclosure process, the vulnerability has been assigned more than one CVE identifiers, i.e. **CVE-2025-31161** and **CVE-2025-2825**, with a CVSS score of 9.8. \n\nThe vulnerability is an authentication bypass vulnerability in the AWS4-HMAC authorisation method of the HTTP component of the CrushFTP server [2].\n\n# Affected Products\n\nThe vulnerability affects CrushFTP version 10 (prior to 10.8.4) and 11 (prior to 11.3.1)\n\n# Recommendations\n\nCERT-EU recommends updating the affected products to the latest version as soon as possible.\n\n# References \n\n[1] <https://www.crushftp.com/crush11wiki/Wiki.jsp?page=Update>\n\n[2] <https://outpost24.com/blog/crushftp-auth-bypass-vulnerability/>",
    "content_html": "<p><em>History:</em></p><ul><li><em>03/04/2025 --- v1.0 -- Initial publication</em></li></ul><h2 id=\"summary\">Summary</h2><p>In April 2025, information about an easy-to-exploit critical vulnerability affecting CrushFTP was made public. It is recommended updating affected server as soon as possible [1,2].</p><p>Proof of concepts are available, and the vulnerability is being exploited in the wild.</p><h2 id=\"technical-details\">Technical Details</h2><p>Due to failures in the vulnerability disclosure process, the vulnerability has been assigned more than one CVE identifiers, i.e. <strong>CVE-2025-31161</strong> and <strong>CVE-2025-2825</strong>, with a CVSS score of 9.8. </p><p>The vulnerability is an authentication bypass vulnerability in the AWS4-HMAC authorisation method of the HTTP component of the CrushFTP server [2].</p><h2 id=\"affected-products\">Affected Products</h2><p>The vulnerability affects CrushFTP version 10 (prior to 10.8.4) and 11 (prior to 11.3.1)</p><h2 id=\"recommendations\">Recommendations</h2><p>CERT-EU recommends updating the affected products to the latest version as soon as possible.</p><h2 id=\"references\">References</h2><p>[1] <a rel=\"noopener\" target=\"_blank\" href=\"https://www.crushftp.com/crush11wiki/Wiki.jsp?page=Update\">https://www.crushftp.com/crush11wiki/Wiki.jsp?page=Update</a></p><p>[2] <a rel=\"noopener\" target=\"_blank\" href=\"https://outpost24.com/blog/crushftp-auth-bypass-vulnerability/\">https://outpost24.com/blog/crushftp-auth-bypass-vulnerability/</a></p>",
    "licence": {
        "title": "Creative Commons Attribution 4.0 International (CC-BY 4.0)",
        "link": "https://creativecommons.org/licenses/by/4.0/",
        "restrictions": "https://cert.europa.eu/legal-notice",
        "author": "The Cybersecurity Service for the Union institutions, bodies, offices and agencies"
    }
}