Authentication Bypass Vulnerability in CrushFTP by CrushFTP
CVE-2025-31161
Key Information:
- Vendor
- Crushftp
- Status
- Crushftp
- Vendor
- CVE Published:
- 3 April 2025
Badges
What is CVE-2025-31161?
CVE-2025-31161 is a critical authentication bypass vulnerability found in CrushFTP, a software solution designed for secure file transfer protocols. This vulnerability impacts versions of CrushFTP prior to 10.8.4 and 11.3.1, allowing unauthorized users to authenticate as privileged accounts, notably the crushadmin account. If exploited, this vulnerability could lead to significant security breaches, compromising sensitive data and operations, thus posing substantial risks to organizations relying on CrushFTP for file transfer tasks.
Technical Details
CVE-2025-31161 arises from a race condition in the AWS4-HMAC authorization method within the HTTP component of the CrushFTP server. The issue lies in the way user authentication is handled during the login process. When the server checks for user validity without requiring a password, it inadvertently allows an attacker to exploit this flaw by manipulating AWS4-HMAC headers. By presenting a valid username followed by a slash, the server can be deceived into authenticating the user through a flawed race condition, permitting unauthorized access to the system with administrative capabilities.
Potential impact of CVE-2025-31161
-
Unauthorized Access and Control: The most immediate concern is that attackers can gain control over administrative accounts, allowing them to execute commands or alter configurations without detection.
-
Data Breach Risks: With administrative access, malicious actors can access, manipulate, or exfiltrate sensitive data, leading to potential data breaches that could severely damage an organization's reputation and compliance standing.
-
System Compromise: The ability to authenticate as a privileged user increases the likelihood of deploying further exploits or malware, resulting in broader system compromise throughout an organization’s infrastructure.
Affected Version(s)
CrushFTP 10 < 10.8.4
CrushFTP 11 < 11.3.1
Get notified when SecurityVulnerability.io launches alerting 🔔
Well keep you posted 📧
News Articles
Disclosure Drama Clouds CrushFTP Vulnerability Exploitation
CrushFTP CEO Ben Spink slammed several cybersecurity companies for creating confusion around a critical authentication bypass flaw that's currently under attack.
3 days ago
Two CVEs, One Critical Flaw: Inside the CrushFTP Vulnerability Controversy
Two CVEs now exist for an actively exploited CrushFTP vulnerability and much of the security industry is using the ‘wrong one’.
4 days ago
References
CVSS V3.1
Timeline
- 📈
Vulnerability started trending
- 📰
First article discovered by SecurityWeek
Vulnerability published
Vulnerability Reserved