9.8

CVE-2025-2825

Medienbericht

EPSS 5.28%
Veröffentlicht 26.03.2025 15:58:14
Zuletzt bearbeitet 02.04.2025 21:15:33
Quelle disclosure@vulncheck.com
CVE-Watchlists
Login
Unerledigt
Login

CrushFTP versions 10.0.0 through 10.8.3 and 11.0.0 through 11.3.0 are affected by a vulnerability in the S3 authorization header processing that allows authentication bypass. Remote and unauthenticated HTTP requests to CrushFTP with known usernames can be used to impersonate a user and conduct actions on their behalf, including administrative actions and data retrieval.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 12

CNA 0 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	5.28%	0.891

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
disclosure@vulncheck.com	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-287 Improper Authentication

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

https://www.heise.de/news/Datentransfer-Software-CrushFTP-ermoeglicht-unbefugten-Zugriff-10330546.html

Media Report

https://www.heise.de/news/Angriffe-auf-Sicherheitsleck-in-CrushFTP-beobachtet-10336787.html

Media Report

https://www.crushftp.com/crush11wiki/Wiki.jsp?page=Update

https://www.rapid7.com/blog/post/2025/03/25/etr-notable-vulnerabilities-in-next-js-cve-2025-29927/

https://www.runzero.com/blog/crushftp/

https://projectdiscovery.io/blog/crushftp-authentication-bypass

https://attackerkb.com/topics/k0EgiL9Psz/cve-2025-2825/rapid7-analysis

https://raw.githubusercontent.com/projectdiscovery/nuclei-templates/main/http/cves/2025/CVE-2025-2825.yaml

https://outpost24.com/blog/crushftp-auth-bypass-vulnerability/

https://nvd.nist.gov/vuln/detail/CVE-2025-2825

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-2825

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-2825

EUVD