Name of the Vulnerable Software and Affected Versions:

CrushFTP versions 10.0.0 through 10.8.3

CrushFTP versions 11.0.0 through 11.3.0

Description:

A critical authentication bypass vulnerability in CrushFTP allows unauthenticated remote access, enabling attackers to bypass security restrictions, gain access to the administrative account, and execute arbitrary commands. The vulnerability arises from a race condition in the AWS4-HMAC authorization method of the HTTP component of the FTP server. By sending a mangled AWS4-HMAC header with only the username and a following slash (/), an attacker can trigger the successful anypass authentication process. This issue has been exploited in the wild since March 30, 2025, and has been used to compromise systems, with over 815 vulnerable servers still exposed. The vulnerability can lead to a full compromise of the system by obtaining an administrative account.

Recommendations:

For CrushFTP versions 10.0.0 through 10.8.3, update to version 10.8.4 or later.

For CrushFTP versions 11.0.0 through 11.3.0, update to version 11.3.1 or later.

As a temporary workaround, consider using a DMZ proxy instance to mitigate the risk of exploitation.