**Name of the Vulnerable Software and Affected Versions:**

CrushFTP versions 10.0.0 through 10.8.3

CrushFTP versions 11.0.0 through 11.3.0

**Description:**

CrushFTP is affected by an authentication bypass vulnerability that allows attackers to bypass authentication and potentially take over the `crushadmin` account. This vulnerability, exploited in the wild since March 2025, is due to a race condition in the AWS4-HMAC authorization method of the HTTP component. By sending a crafted AWS4-HMAC header with only a username and a trailing slash (/), attackers can bypass authentication and gain administrative access. The vulnerability has been observed being exploited by various threat actors, including the Kill ransomware gang, and has led to the installation of backdoors such as MeshAgent and AnyDesk. Approximately 815 servers were identified as vulnerable, with attacks targeting sectors including marketing, retail, and semiconductors.

**Recommendations:**

CrushFTP versions 10.0.0 through 10.8.3: Upgrade to version 10.8.4 or later.

CrushFTP versions 11.0.0 through 11.3.0: Upgrade to version 11.3.1 or later.