Authentication Bypass Vulnerability in CrushFTP by CrushFTP
CVE-2025-31161
Key Information:
Badges
What is CVE-2025-31161?
CVE-2025-31161 is a critical authentication bypass vulnerability found in CrushFTP, a software solution designed for secure file transfer protocols. This vulnerability impacts versions of CrushFTP prior to 10.8.4 and 11.3.1, allowing unauthorized users to authenticate as privileged accounts, notably the crushadmin account. If exploited, this vulnerability could lead to significant security breaches, compromising sensitive data and operations, thus posing substantial risks to organizations relying on CrushFTP for file transfer tasks.
Technical Details
CVE-2025-31161 arises from a race condition in the AWS4-HMAC authorization method within the HTTP component of the CrushFTP server. The issue lies in the way user authentication is handled during the login process. When the server checks for user validity without requiring a password, it inadvertently allows an attacker to exploit this flaw by manipulating AWS4-HMAC headers. By presenting a valid username followed by a slash, the server can be deceived into authenticating the user through a flawed race condition, permitting unauthorized access to the system with administrative capabilities.
Potential impact of CVE-2025-31161
-
Unauthorized Access and Control: The most immediate concern is that attackers can gain control over administrative accounts, allowing them to execute commands or alter configurations without detection.
-
Data Breach Risks: With administrative access, malicious actors can access, manipulate, or exfiltrate sensitive data, leading to potential data breaches that could severely damage an organization's reputation and compliance standing.
-
System Compromise: The ability to authenticate as a privileged user increases the likelihood of deploying further exploits or malware, resulting in broader system compromise throughout an organizationโs infrastructure.
CISA Reported
CISA provides regional cyber and physical services to support security and resilience across the United States. CISA monitor the most dangerious vulnerabilities and have identifed as being exploited and is known by the CISA as enabling ransomware campaigns.
The CISA's recommendation is: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Affected Version(s)
CrushFTP 10 < 10.8.4
CrushFTP 11 < 11.3.1
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
Get notified when SecurityVulnerability.io launches alerting ๐
Well keep you posted ๐ง
News Articles
CISA, experts warn of Crush file transfer attacks as ransomware gang makes threats
The makers of the popular file transfer tool CrushFTP say a responsibly disclosed vulnerability in the software has been weaponized. CISA and cyber researchers are sounding alarm bells.
3 weeks ago
CrushFTP Exploitation Continues Amid Disclosure Dispute
Attacks on a critical authentication bypass flaw in CrushFTP's file transfer product continue this week after duplicate CVEs sparked confusion.
3 weeks ago

CISA Alerts on Actively Exploited CrushFTP Authentication Bypass Vulnerability
CISA has issued a warning about an actively exploited vulnerability in CrushFTP, a popular file transfer server solution.
3 weeks ago
References
EPSS Score
21% chance of being exploited in the next 30 days.
CVSS V3.1
Timeline
- ๐ฅ
Vulnerability reached the number 1 worldwide trending spot
- ๐ก
Public PoC available
- ๐ฐ
Used in Ransomware
- ๐พ
Exploit known to exist
- ๐ฆ
CISA Reported
- ๐
Vulnerability started trending
- ๐ฐ
First article discovered by SecurityWeek
Vulnerability published
Vulnerability Reserved