CrushFTP Security Snafu: Your Server’s Back Door is Wide Open!

CrushFTP before versions 10.8.4 and 11.3.1 has a hilarious blunder. Thanks to a race condition and some sloppy header parsing in AWS4-HMAC authorization, you can skip all that pesky authentication and waltz in as admin. Who knew bypassing security could be easier than getting your cat to come inside?

1P
Published: May 18, 2025 3:17 pmAdded: May 18, 2025 at 8:21 amAssembled by: The Editor
Pro Dashboard

Hot Take:

Well, who knew that a simple header parsing flaw could turn your FTP server into a “Free Takeover Party”? If your FTP is “Crush”ing under this new CVE, it might be time to “crush” it into oblivion or at least update it before hackers RSVP!

Key Points:

  • CrushFTP versions before 10.8.4 and 11.3.1 are vulnerable to authentication bypass.
  • A race condition and header parsing flaw in AWS4-HMAC authorization is to blame.
  • Attackers can log in as any user, even admin, without a password.
  • Exploit tested on several OS including Ubuntu, Windows Server, and Kali Linux.
  • Security patch needed to prevent unauthorized access and admin takeover.

Membership Required

 You must be a member to access this content.

View Membership Levels
Already a member? Log in here
The Nimble Nerd
powered by the NSA, er,  GDPR Cookie Compliance
Confessional Booth of Our Digital Sins

Okay, deep breath, let's get this over with. In the grand act of digital self-sabotage, we've littered this site with cookies. Yep, we did that. Why? So your highness can have a 'premium' experience or whatever. These traitorous cookies hide in your browser, eagerly waiting to welcome you back like a guilty dog that's just chewed your favorite shoe. And, if that's not enough, they also tattle on which parts of our sad little corner of the web you obsess over. Feels dirty, doesn't it?