CrushFTP Unauthorized Admin Access Scanner

The software in question, CrushFTP, is a robust file transfer server solution used often by enterprises and individuals alike to securely manage their file transfers. This software supports multiple protocols and offers flexibility for administrators when controlling user access and file sharing. CrushFTP is particularly prominent among organizations that require precise control over file distribution. Security-focused, it provides detailed logs and comprehensive authentication methods. The software is versatile enough to be deployed on various operating systems, enhancing its adaptability in diverse IT environments. Its user-friendly interface and rich feature set attract a considerable user base worldwide.

The identified vulnerability involves unauthorized admin access caused by a race condition within the authentication process of CrushFTP. Attackers can exploit this vulnerability to bypass authentication controls, gaining entry without proper credentials. This race condition comes from improper management of concurrent access attempts, an oversight allowing malicious actors to interact with normally restricted areas. External actors capitalize on this flaw by timing their requests to coincide with certain operations within the software, thus managing to bypass restrictions. It's a critical weakness as it opens gates that are supposed to be locked securely under standard circumstances. This flaw emphasizes the need for designs that consider concurrency and atomic handling of sensitive operations.

The vulnerability details expose how the race condition is triggered by exploiting the AS2 validation mishandling when the DMZ proxy feature isn't being utilized. An attacker can manipulate HTTP requests to target the WebInterface function, exploiting flawed logic that allows admin access bypass. By racing multiple HTTP requests with specific headers and content types, attackers manipulate the server into mismatched validation states. The attack focuses on sending simultaneous requests that exploit concurrent processing flaws, intercepting the user list, and other critical admin-level data. Moreover, random character generation in the input does not provide adequate protection, as observed in the method of attack involving AS2 headers.

When malicious users exploit this vulnerability, they can gain unauthorized admin access, which may lead to data theft, unauthorized data manipulation, and disruption of file services. Exposure of sensitive user data is a real threat, resulting in privacy violations and potentially significant damages both financially and reputationally for targeted organizations. An attacker with admin privileges can alter configurations, plant backdoors, or steal sensitive data, all of which can severely impact the operational capabilities of an organization. The broad access allowed by the bypass means a complete compromise of the software's intended security model rendering its original precautions ineffective.

REFERENCES

• https://github.com/watchtowrlabs/watchTowr-vs-CrushFTP-Authentication-Bypass-CVE-2025-54309/blob/main/watchTowr-vs-CrushFTP-CVE-2025-54309.py
• https://labs.watchtowr.com/the-one-where-we-just-steal-the-vulnerabilities-crushftp-cve-2025-54309/