CVE-2025-2825

Rejected reason: DO NOT USE THIS CVE RECORD. ConsultIDs: CVE-2025-31161. Reason: This Record is a reservation duplicate of CVE-2025-31161. Notes: All CVE users should reference CVE-2025-31161 instead of this Record. All references and descriptions in this Record have been removed to prevent accidental usage.
CVSS

No CVSS.

References

No reference.

Configurations

No configuration.

History

04 Apr 2025, 20:15

Type Values Removed Values Added
CWE CWE-287
CVSS v2 : unknown
v3 : 9.8
v2 : unknown
v3 : unknown
Summary
  • (es) Las versiones 10.0.0 a 10.8.3 y 11.0.0 a 11.3.0 de CrushFTP se ven afectadas por una vulnerabilidad que puede provocar acceso no autenticado. Las solicitudes HTTP remotas y no autenticadas a CrushFTP pueden permitir a los atacantes obtener acceso no autorizado.
Summary (en) CrushFTP versions 10.0.0 through 10.8.3 and 11.0.0 through 11.3.0 are affected by a vulnerability in the S3 authorization header processing that allows authentication bypass. Remote and unauthenticated HTTP requests to CrushFTP with known usernames can be used to impersonate a user and conduct actions on their behalf, including administrative actions and data retrieval. (en) Rejected reason: DO NOT USE THIS CVE RECORD. ConsultIDs: CVE-2025-31161. Reason: This Record is a reservation duplicate of CVE-2025-31161. Notes: All CVE users should reference CVE-2025-31161 instead of this Record. All references and descriptions in this Record have been removed to prevent accidental usage.
References
  • {'url': 'https://attackerkb.com/topics/k0EgiL9Psz/cve-2025-2825/rapid7-analysis', 'source': 'disclosure@vulncheck.com'}
  • {'url': 'https://outpost24.com/blog/crushftp-auth-bypass-vulnerability/', 'source': 'disclosure@vulncheck.com'}
  • {'url': 'https://projectdiscovery.io/blog/crushftp-authentication-bypass', 'source': 'af854a3a-2127-422b-91ae-364da2661108'}
  • {'url': 'https://raw.githubusercontent.com/projectdiscovery/nuclei-templates/main/http/cves/2025/CVE-2025-2825.yaml', 'source': 'disclosure@vulncheck.com'}
  • {'url': 'https://www.crushftp.com/crush11wiki/Wiki.jsp?page=Update', 'source': 'disclosure@vulncheck.com'}
  • {'url': 'https://www.rapid7.com/blog/post/2025/03/25/etr-notable-vulnerabilities-in-next-js-cve-2025-29927/', 'source': 'disclosure@vulncheck.com'}
  • {'url': 'https://www.runzero.com/blog/crushftp/', 'source': 'disclosure@vulncheck.com'}

02 Apr 2025, 21:15

Type Values Removed Values Added
References
  • () https://outpost24.com/blog/crushftp-auth-bypass-vulnerability/ -

01 Apr 2025, 19:15

Type Values Removed Values Added
Summary (en) CrushFTP versions 10.0.0 through 10.8.3 and 11.0.0 through 11.3.0 are affected by a vulnerability that may result in unauthenticated access. Remote and unauthenticated HTTP requests to CrushFTP may allow attackers to gain unauthorized access. (en) CrushFTP versions 10.0.0 through 10.8.3 and 11.0.0 through 11.3.0 are affected by a vulnerability in the S3 authorization header processing that allows authentication bypass. Remote and unauthenticated HTTP requests to CrushFTP with known usernames can be used to impersonate a user and conduct actions on their behalf, including administrative actions and data retrieval.
References
  • () https://attackerkb.com/topics/k0EgiL9Psz/cve-2025-2825/rapid7-analysis -
  • () https://raw.githubusercontent.com/projectdiscovery/nuclei-templates/main/http/cves/2025/CVE-2025-2825.yaml -

28 Mar 2025, 17:15

Type Values Removed Values Added
References
  • () https://projectdiscovery.io/blog/crushftp-authentication-bypass -

27 Mar 2025, 16:45

Type Values Removed Values Added
Summary
  • (es) Las versiones 10.0.0 a 10.8.3 y 11.0.0 a 11.3.0 de CrushFTP se ven afectadas por una vulnerabilidad que puede provocar acceso no autenticado. Las solicitudes HTTP remotas y no autenticadas a CrushFTP pueden permitir a los atacantes obtener acceso no autorizado.

26 Mar 2025, 17:15

Type Values Removed Values Added
CWE CWE-287

26 Mar 2025, 16:15

Type Values Removed Values Added
New CVE

Information

Published : 2025-03-26 16:15

Updated : 2025-04-04 20:15


NVD link : CVE-2025-2825

Mitre link : CVE-2025-2825

CVE.ORG link : CVE-2025-2825


JSON object : View

Products Affected

No product.

CWE

No CWE.