AI description
CVE-2025-31161 is a critical authentication bypass vulnerability found in CrushFTP versions 10.0.0 through 10.8.3 and 11.0.0 through 11.3.0. It stems from a flaw in the AWS4-HMAC authorization method within the HTTP component, allowing remote attackers to gain unauthorized access to systems running unpatched versions of the software via unauthenticated HTTP requests. The vulnerability allows attackers to impersonate any known or guessable user, including the "crushadmin" account, by sending a manipulated Authorization header. The server initially verifies user existence without requiring a password, enabling session authentication through HMAC verification before a subsequent user verification check. This bypass can lead to a full compromise of the system by obtaining an administrative account.
- Description
- CrushFTP 10 before 10.8.4 and 11 before 11.3.1 allows authentication bypass and takeover of the crushadmin account (unless a DMZ proxy instance is used), as exploited in the wild in March and April 2025, aka "Unauthenticated HTTP(S) port access." A race condition exists in the AWS4-HMAC (compatible with S3) authorization method of the HTTP component of the FTP server. The server first verifies the existence of the user by performing a call to login_user_pass() with no password requirement. This will authenticate the session through the HMAC verification process and up until the server checks for user verification once more. The vulnerability can be further stabilized, eliminating the need for successfully triggering a race condition, by sending a mangled AWS4-HMAC header. By providing only the username and a following slash (/), the server will successfully find a username, which triggers the successful anypass authentication process, but the server will fail to find the expected SignedHeaders entry, resulting in an index-out-of-bounds error that stops the code from reaching the session cleanup. Together, these issues make it trivial to authenticate as any known or guessable user (e.g., crushadmin), and can lead to a full compromise of the system by obtaining an administrative account.
- Source
- cve@mitre.org
- NVD status
- Analyzed
CVSS 3.1
- Type
- Primary
- Base score
- 9.8
- Impact score
- 5.9
- Exploitability score
- 3.9
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- Severity
- CRITICAL
Data from CISA
- Vulnerability name
- CrushFTP Authentication Bypass Vulnerability
- Exploit added on
- Apr 7, 2025
- Exploit action due
- Apr 28, 2025
- Required action
- Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
- cve@mitre.org
- CWE-305
- nvd@nist.gov
- NVD-CWE-Other
- Hype score
- Not currently trending
GitHub - ghostsec420/ShatteredFTP: Shattered is a tool and POC for the new CrushedFTP vulns, CVE Exploit Script: CVE-2025-2825 vs CVE-2025-31161 https://t.co/EsmLV1fo1b
@akaclandestine
20 Apr 2025
2063 Impressions
11 Retweets
42 Likes
18 Bookmarks
0 Replies
0 Quotes
🚨 Attention IT teams and cybersecurity pros! A critical authentication bypass vulnerability (CVE-2025-31161) has been discovered in CrushFTP, affecting versions 10.0.0–10.8.3 and 11.0.0–11.3.0. This flaw is actively exploited in ransomware attacks, allowing unauthenticated
@zerodailyme
19 Apr 2025
28 Impressions
1 Retweet
1 Like
0 Bookmarks
0 Replies
0 Quotes
[1Day1Line] CVE-2025-31161: Authentication Bypass Vulnerability in CrushFTP via Parameter Overloading https://t.co/riCEAUO6Db Hello. Today’s 1Day1Line is about a CrushFTP vulnerability that sparked controversy after being assigned two CVEs — CVE-2025-31161 and CVE-2025-2825.
@hackyboiz
19 Apr 2025
930 Impressions
5 Retweets
11 Likes
6 Bookmarks
0 Replies
0 Quotes
Actively exploited CVE : CVE-2025-31161
@transilienceai
18 Apr 2025
11 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
CISA and cybersecurity experts are sounding the alarm: Hackers are actively exploiting a critical vulnerability (CVE-2025-31161) in CrushFTP, a file transfer tool used by thousands of companies to move sensitive data. https://t.co/5xDnT49LO3 #CyberSecurity #CrushFTP
@onestepsecureit
18 Apr 2025
3 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Actively exploited CVE : CVE-2025-31161
@transilienceai
18 Apr 2025
12 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
😈🪰 Villain of the Week 🪰😈 An authentication bypass vulnerability, CVE-2025-31161, has been identified in CrushFTP versions 10.0.0 to 10.8.3 and 11.0.0 to 11.3.0. Researchers have reported active, in-the-wild exploitation of this CVE. ☠️ Exploiting this vulnerability could h
@vicariusltd
17 Apr 2025
59 Impressions
1 Retweet
1 Like
0 Bookmarks
0 Replies
0 Quotes
Actively exploited CVE : CVE-2025-31161
@transilienceai
16 Apr 2025
24 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
Actively exploited CVE : CVE-2025-31161
@transilienceai
14 Apr 2025
27 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
Actively exploited CVE : CVE-2025-31161
@transilienceai
13 Apr 2025
22 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
Actively exploited CVE : CVE-2025-31161
@transilienceai
12 Apr 2025
23 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
🚨 New plugin for CrushFTP's CVE-2025-2825/CVE-2025-31161 is up. While enumerating users to validate vulnerable instances we noticed a pattern. It's on all instances we scanned for, can you see it? What do you make of it? https://t.co/YpesS10A1N
@leak_ix
11 Apr 2025
1007 Impressions
4 Retweets
7 Likes
7 Bookmarks
0 Replies
0 Quotes
Actively exploited CVE : CVE-2025-31161
@transilienceai
11 Apr 2025
16 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
CrushFTP Vulnerability CVE-2025-31161: Exploitation Risks Rise https://t.co/1Uj6puRUN5
@vault33org
10 Apr 2025
14 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
米国サイバーセキュリティ・社会基盤安全保障庁(CISA)の既知の悪用された脆弱性カタログで、Windows CLFSドライバの脆弱性CVE-2025-29824と、CrushFTPの脆弱性CVE-2025-31161がランサムウェアに悪用されたことが確認された。 https://t.co/yygT1Uwj2s
@__kokumoto
9 Apr 2025
925 Impressions
0 Retweets
6 Likes
2 Bookmarks
3 Replies
0 Quotes
🗞️ CISA Flags CrushFTP Flaw as Actively Exploited, Adds to KEV Catalog CISA has added a critical CrushFTP flaw (CVE-2025-31161) to its KEV catalog after it was confirmed to have been exploited in the wild since March 30—over 815 servers are still vulnerable! Federal agencies ht
@gossy_84
9 Apr 2025
56 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨 Vulnerabilidad en CrushFTP (CVE-2025-31161, CVSS 9.8) se está explotando activamente https://t.co/JTOOPQyPbj https://t.co/U29qt9tw91
@elhackernet
9 Apr 2025
1591 Impressions
1 Retweet
7 Likes
1 Bookmark
0 Replies
0 Quotes
Latest Known Exploited Vulnerabilities (#KEV) : #CVE-2025-31161 #CrushFTP Authentication Bypass Vulnerability https://t.co/CrZEoWhAos
@ScyScan
8 Apr 2025
6 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨 CISA KEV Alert: A critical flaw in CrushFTP (CVE-2025-31161) 🚨 Now listed in its catalog enables attackers to bypass authentication and seize control of the crushadmin account. 🛡️Read out annotated article at: https://t.co/UrVW4rQQth #Infosec #CISA #CyberSecurity https
@BaseFortify
8 Apr 2025
40 Impressions
1 Retweet
1 Like
0 Bookmarks
2 Replies
0 Quotes
A critical authentication bypass vulnerability in CrushFTP (CVE-2025-31161) allows unauthenticated remote access. Organizations using affected versions should patch immediately to prevent exploitation and system compromise. https://t.co/tC6Gp3pax3
@toptechgh
8 Apr 2025
39 Impressions
1 Retweet
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CISA has added a critical CrushFTP vulnerability (CVE-2025-31161) to its KEV catalog after confirmed exploitation. Affects sectors like marketing and retail. Stay vigilant! 🔒🛡️ #CISA #CrushFTP #USA link: https://t.co/zBT2ScAb5x https://t.co/xnalB17c0t
@TweetThreatNews
8 Apr 2025
13 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CrushFTP flaw (CVE-2025-31161, CVSS 9.8) is being actively exploited. Full system takeover via authentication bypass (no login needed) —First attacks seen March 30 —815 vulnerable servers — Targets: marketing, retail, semiconductor sectors — Malware used: MeshAgent, Telegram ht
@TheHackersNews
8 Apr 2025
74187 Impressions
43 Retweets
107 Likes
18 Bookmarks
2 Replies
2 Quotes
🛡️ We added CrushFTP authentication bypass vulnerability CVE-2025-31161 to our Known Exploited Vulnerabilities Catalog. Visit https://t.co/myxOwap1Tf & apply mitigations to protect your org from cyberattacks. #Cybersecurity #InfoSec https://t.co/igvl44p7D8
@CISACyber
7 Apr 2025
366 Impressions
2 Retweets
0 Likes
0 Bookmarks
0 Replies
1 Quote
Huntress researchers recently analyzed attacks involving CVE-2025-31161, a critical authentication bypass flaw in CrushFTP. 💡 We observed specific post-exploitation activity used by threat actors leveraging the flaw in the wild https://t.co/hHEcVUjXx0
@HuntressLabs
7 Apr 2025
1446 Impressions
2 Retweets
18 Likes
3 Bookmarks
1 Reply
0 Quotes
#threatreport #MediumCompleteness CrushFTP CVE-2025-31161 Auth Bypass and Post-Exploitation | 06-04-2025 Source: https://t.co/iRymS3Stkg Key details below ↓ 💀Threats: Meshcentral_tool, Anydesk_tool, Meshagent_tool, 🏭Industry: Semiconductor_industry, Retail 🔓CVEs: https://t.
@rst_cloud
6 Apr 2025
55 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨 CVE-2025-31161 ⚠️🔴 CRITICAL (9.8) 🏢 CrushFTP - CrushFTP 🏗️ 10 🔗 https://t.co/7DlRgqGQwN 🔗 https://t.co/sQCCm5EiIu #CyberCron #VulnAlert #InfoSec https://t.co/qGFVeL4haB
@cybercronai
4 Apr 2025
18 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
We wrote up what @HuntressLabs has been seeing for the CrushFTP authentication bypass: CVE-2025-31161 (or CVE-2025-2825, whichever side of the bed you woke up on) leading to MeshCentral agents, AnyDesk, and neato "TelegramBot" malware. Patch plz! ✌️ https://t.co/Ax4cJjgONF https:
@_JohnHammond
4 Apr 2025
9463 Impressions
31 Retweets
166 Likes
28 Bookmarks
2 Replies
0 Quotes
pwning my FTP server is a weird way to say you have a Crush on me but okay 🥰 anyways check out our analysis of some CrushFTP CVE-2025-31161 post exploitation activity! https://t.co/gUPHQRZUEG
@birchb0y
4 Apr 2025
10711 Impressions
34 Retweets
135 Likes
24 Bookmarks
3 Replies
1 Quote
CVE-2025-31161 is the latest example of a critical severity authentication bypass vulnerability in CrushFTP, a growing trend we’re seeing from attackers targeting managed file transfer (MFT) platforms. https://t.co/kLgLN019bn
@HuntressLabs
4 Apr 2025
3036 Impressions
9 Retweets
27 Likes
3 Bookmarks
1 Reply
1 Quote
CVE-2025-31161 CrushFTP 10 before 10.8.4 and 11 before 11.3.1 allows authentication bypass and takeover of the crushadmin account (unless a DMZ proxy instance is used), as exploited… https://t.co/gTFCg97kaN
@CVEnew
4 Apr 2025
334 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CrushFTPのファイル転送サーバーに存在する認証バイパスの脆弱性(CVE-2025-31161)は、認証なしでHTTP(S)ポート経由のアクセスを可能にする重大な欠陥であり、CVSSスコアは9.8と非常に高い。
@yousukezan
3 Apr 2025
484 Impressions
0 Retweets
1 Like
2 Bookmarks
0 Replies
0 Quotes
[CVE-2025-31161: CRITICAL] Vulnerability in CrushFTP allows for cyber attackers to bypass authentication and take over the crushadmin account, exploited in the wild in March and April 2025. #cybersecurity#cybersecurity,#vulnerability https://t.co/LqCAdnWElH https://t.co/JpulMDZtd
@CveFindCom
3 Apr 2025
61 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Two CVEs, One Critical Flaw: Inside the CrushFTP Vulnerability Controversy - (CVE-2025-31161 vs. CVE-2025-2825) https://t.co/89A8CpEzLo
@SecurityWeek
3 Apr 2025
1697 Impressions
11 Retweets
15 Likes
2 Bookmarks
1 Reply
0 Quotes
🚨 CVE Alert: Critical CrushFTP Authentication Bypass Vulnerability🚨 Vulnerability Details: CVE-2025-31161 (CVSS v3 9.8/10) CrushFTP Authentication Bypass Vulnerability Impact: A successful exploit of CVE-2025-31161 may allow unauthenticated attackers to gain unauthorized http
@CyberxtronTech
3 Apr 2025
72 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CrushFTP Blames Security Firms for Fast Exploitation of Vulnerability Shadowserver has started seeing exploitation attempts aimed at a CrushFTP vulnerability tracked as CVE-2025-2825 and CVE-2025-31161. https://t.co/qyj56WI1bR https://t.co/aUSE1iJ8Zg
@persistsec
1 Apr 2025
26 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
[
{
"nodes": [
{
"negate": false,
"cpeMatch": [
{
"criteria": "cpe:2.3:a:crushftp:crushftp:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "ABD1B990-3D20-49A1-B62D-60BE724EE83F",
"versionEndExcluding": "10.8.4",
"versionStartIncluding": "10.0.0"
},
{
"criteria": "cpe:2.3:a:crushftp:crushftp:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "832C5DBF-FF1C-447E-812E-063CD844EE07",
"versionEndExcluding": "11.3.1",
"versionStartIncluding": "11.0.0"
}
],
"operator": "OR"
}
]
}
]