Overview

A race condition vulnerability (CVE-2025-54309) was recently disclosed in CrushFTP, a widely used secure file transfer and server software. The flaw resides in its CrushAuth authentication mechanism and enables attackers to replay authentication tokens, ultimately leading to unauthorized execution of sensitive functions.

• CVSS v3 Score: 8.5 (High Severity)

• Affected Product: CrushFTP versions prior to the patched release (builds < v11.6.1)

• Impact: Privilege escalation, unauthorized configuration changes, potential data exposure

• Exploitation Status: Public advisories confirm the issue; proof-of-concept attack scenarios exist

 Technical Analysis

• Vulnerability Type: Race Condition / Authentication Replay

• Root Cause: CrushFTP’s CrushAuth mechanism fails to properly synchronize and invalidate authentication tokens under certain conditions, allowing attackers to reuse valid tokens for unauthorized actions.

• Exploitation Vector:

  1. Attacker captures or generates a valid authentication token.

  2. Due to improper synchronization, multiple concurrent requests allow replay of this token.

  3. Attacker gains unauthorized access to functions like setUserItem or administrative actions.

• MITRE ATT&CK Mapping:

  • T1078: Valid Accounts

  • T1550.003: Use of Authentication Tokens

  • T1068: Exploitation for Privilege Escalation

 Threat Actor Perspective

• Initial Access: Attacker may phish or sniff a valid user token.

• Execution: Replay attack on the vulnerable CrushAuth flow.

• Impact:

  • Unauthorized privilege escalation

  • Modification of user items, access policies, or system configurations

  • Potential compromise of stored data, sensitive files, or administrative control

Targets at Risk: Enterprises relying on CrushFTP for secure B2B file transfers, cloud storage, or managed file transfer (MFT) systems.

 Detection & Hunting

Indicators of Exploitation

• Multiple simultaneous API calls using the same CrushAuth token.

• Unexpected invocation of setUserItem or related admin functions.

• Logs showing repeated valid authentication attempts within milliseconds.

Hunting Queries

• SIEM Example:

index=crushftp_logs 
| stats count by user, auth_token 
| where count > 5 within 1 second

• Alert on anomalies in CrushFTP logs with repeated token reuse.

 Mitigation & Patch Guidance

• Upgrade Immediately: Patch to CrushFTP v11.6.1 or later, where token synchronization issues are fixed.

• Session Management Hardening:

  • Enforce token invalidation after single use.

  • Apply stricter replay detection controls.

• Monitoring:

  • Enable verbose logging for all authentication-related events.

  • Audit for anomalous token replay attempts.

• Network Segmentation:

  • Restrict CrushFTP server exposure to only trusted IPs.

  • Use WAF/IDS rules to monitor for repeated replay sequences.

 Lessons Learned

• Authentication tokens = high-value targets → Replay protection must always be enforced.

• Race conditions remain underestimated vulnerabilities, often overlooked in security reviews.

• Defense in Depth → Strong session invalidation + monitoring + patches are essential for secure file transfer systems.

#CyberDudeBivash #ThreatWire #CVE202554309 #CrushFTP #RaceCondition #ReplayAttack #PrivilegeEscalation #FileTransferSecurity #ThreatHunting #IncidentResponse