CrushFTP AS2 Authentication Bypass# CVE-2025-54309 CrushFTP Authentication Bypass
## Overview
CVE-2025-54309 is an authentication bypass vulnerability in CrushFTP that allows unauthorized administrative user creation through AS2 header manipulation.
## Technical Details
### Vulnerability Location
- **File**: `crushftp/server/ServerSessionHTTP.java`
- **Method**: `loginCheckHeaderAuth()` (line 2285)
- **Root Cause**: Improper AS2 header validation logic
### Vulnerable Code
```java
} else if (this.headerLookup.containsKey("as2-to".toUpperCase())) {
if (this.headerLookup.getProperty("as2-to".toUpperCase()).trim().indexOf("-_-") < 0 && !ServerStatus.BG("blank_passwords")) {
return; // Authentication bypass occurs here
}
```
### Exploitation Method
1. Send POST request to `/WebInterface/function/` with empty `AS2-To` header
2. Include `setUserItem` command in request body
3. Server bypasses authentication due to missing `-_-` delimiter in AS2-To header
4. Administrative user gets created without proper authentication
## Affected Versions
- CrushFTP 10.x < 10.8.5
- CrushFTP 11.x < 11.3.4_23
## Shodan query
- `http.server_hash:525710691,-1319113083,2114359341,1401270286,-608770667`
- `http.favicon.hash:-1022206565`
- `"/WebInterface/w3c/p3p.xml"`
## Google dorks
- `intitle:"CrushFTP WebInterface"`
- `inurl:"/WebInterface/login.html"`
## Usage
```bash
python3 cve_2025_54309.py <target_url> [-u username] [-p password] [-v]
```
### Examples
```bash
# Basic exploitation
python3 cve_2025_54309.py http://crushftp.example.com:8080
# Custom credentials
python3 cve_2025_54309.py https://crushftp.example.com -u kali -p kali1
# With login verification
python3 cve_2025_54309.py http://crushftp.example.com -v
```
## Requirements
- Python 3.x
- requests library
## Disclaimer
This tool is for authorized security testing only. Users are responsible for compliance with applicable laws and regulations.
Log in to view the POC file snapshot cached by Shenlong Bot
Log in to view