Authentication Bypass Vulnerability in CrushFTP by CrushFTP
CVE-2025-31161

9.8CRITICAL

Key Information:

Vendor
Crushftp
Status
Vendor
CVE Published:
3 April 2025

Badges

๐Ÿฅ‡ Trended No. 1๐Ÿ“ˆ Trended๐Ÿ“ˆ Score: 10,100๐Ÿ’ฐ Ransomware๐Ÿ‘พ Exploit Exists๐ŸŸก Public PoC๐ŸŸฃ EPSS 21%๐Ÿฆ… CISA Reported๐Ÿ“ฐ News Worthy

What is CVE-2025-31161?

CVE-2025-31161 is a critical authentication bypass vulnerability found in CrushFTP, a software solution designed for secure file transfer protocols. This vulnerability impacts versions of CrushFTP prior to 10.8.4 and 11.3.1, allowing unauthorized users to authenticate as privileged accounts, notably the crushadmin account. If exploited, this vulnerability could lead to significant security breaches, compromising sensitive data and operations, thus posing substantial risks to organizations relying on CrushFTP for file transfer tasks.

Technical Details

CVE-2025-31161 arises from a race condition in the AWS4-HMAC authorization method within the HTTP component of the CrushFTP server. The issue lies in the way user authentication is handled during the login process. When the server checks for user validity without requiring a password, it inadvertently allows an attacker to exploit this flaw by manipulating AWS4-HMAC headers. By presenting a valid username followed by a slash, the server can be deceived into authenticating the user through a flawed race condition, permitting unauthorized access to the system with administrative capabilities.

Potential impact of CVE-2025-31161

  1. Unauthorized Access and Control: The most immediate concern is that attackers can gain control over administrative accounts, allowing them to execute commands or alter configurations without detection.

  2. Data Breach Risks: With administrative access, malicious actors can access, manipulate, or exfiltrate sensitive data, leading to potential data breaches that could severely damage an organization's reputation and compliance standing.

  3. System Compromise: The ability to authenticate as a privileged user increases the likelihood of deploying further exploits or malware, resulting in broader system compromise throughout an organizationโ€™s infrastructure.

CISA Reported

CISA provides regional cyber and physical services to support security and resilience across the United States. CISA monitor the most dangerious vulnerabilities and have identifed as being exploited and is known by the CISA as enabling ransomware campaigns.

The CISA's recommendation is: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Affected Version(s)

CrushFTP 10 < 10.8.4

CrushFTP 11 < 11.3.1

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

News Articles

CISA, experts warn of Crush file transfer attacks as ransomware gang makes threats

The makers of the popular file transfer tool CrushFTP say a responsibly disclosed vulnerability in the software has been weaponized. CISA and cyber researchers are sounding alarm bells.

3 weeks ago

CrushFTP Exploitation Continues Amid Disclosure Dispute

Attacks on a critical authentication bypass flaw in CrushFTP's file transfer product continue this week after duplicate CVEs sparked confusion.

3 weeks ago

CISA Alerts on Actively Exploited CrushFTP Authentication Bypass Vulnerability

CISA has issued a warning about an actively exploited vulnerability in CrushFTP, a popular file transfer server solution.

3 weeks ago

References

EPSS Score

21% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • ๐Ÿฅ‡

    Vulnerability reached the number 1 worldwide trending spot

  • ๐ŸŸก

    Public PoC available

  • ๐Ÿ’ฐ

    Used in Ransomware

  • ๐Ÿ‘พ

    Exploit known to exist

  • ๐Ÿฆ…

    CISA Reported

  • ๐Ÿ“ˆ

    Vulnerability started trending

  • ๐Ÿ“ฐ

    First article discovered by SecurityWeek

  • Vulnerability published

  • Vulnerability Reserved

.