Authentication Bypass Vulnerability in CrushFTP by CrushFTP
CVE-2025-31161

9.8CRITICAL

Key Information:

Vendor
Crushftp
Status
Crushftp
Vendor
CVE Published:
3 April 2025

Badges

🔥 Trending now📈 Trended📈 Score: 2,700📰 News Worthy

What is CVE-2025-31161?

CVE-2025-31161 is a critical authentication bypass vulnerability found in CrushFTP, a software solution designed for secure file transfer protocols. This vulnerability impacts versions of CrushFTP prior to 10.8.4 and 11.3.1, allowing unauthorized users to authenticate as privileged accounts, notably the crushadmin account. If exploited, this vulnerability could lead to significant security breaches, compromising sensitive data and operations, thus posing substantial risks to organizations relying on CrushFTP for file transfer tasks.

Technical Details

CVE-2025-31161 arises from a race condition in the AWS4-HMAC authorization method within the HTTP component of the CrushFTP server. The issue lies in the way user authentication is handled during the login process. When the server checks for user validity without requiring a password, it inadvertently allows an attacker to exploit this flaw by manipulating AWS4-HMAC headers. By presenting a valid username followed by a slash, the server can be deceived into authenticating the user through a flawed race condition, permitting unauthorized access to the system with administrative capabilities.

Potential impact of CVE-2025-31161

  1. Unauthorized Access and Control: The most immediate concern is that attackers can gain control over administrative accounts, allowing them to execute commands or alter configurations without detection.

  2. Data Breach Risks: With administrative access, malicious actors can access, manipulate, or exfiltrate sensitive data, leading to potential data breaches that could severely damage an organization's reputation and compliance standing.

  3. System Compromise: The ability to authenticate as a privileged user increases the likelihood of deploying further exploits or malware, resulting in broader system compromise throughout an organization’s infrastructure.

Affected Version(s)

CrushFTP 10 < 10.8.4

CrushFTP 11 < 11.3.1

News Articles

Disclosure Drama Clouds CrushFTP Vulnerability Exploitation

CrushFTP CEO Ben Spink slammed several cybersecurity companies for creating confusion around a critical authentication bypass flaw that's currently under attack.

3 days ago

favicon imageSecurityWeek

Two CVEs, One Critical Flaw: Inside the CrushFTP Vulnerability Controversy

Two CVEs now exist for an actively exploited CrushFTP vulnerability and much of the security industry is using the ‘wrong one’.

4 days ago

References

https://outpost24.com/blog/crushftp-auth-bypass-vulnerabi...
https://crushftp.com/crush11wiki/Wiki.jsp?page=Update#sec...

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • 📈

    Vulnerability started trending

  • 📰

    First article discovered by SecurityWeek

  • Vulnerability published

  • Vulnerability Reserved

.