CVE-2025-31161

Published Apr 3, 2025

Last updated 4 days ago

Overview

AI description

Generated using AI and has not been reviewed by Intruder. May contain errors.

CVE-2025-31161 is a critical authentication bypass vulnerability found in CrushFTP versions 10.0.0 through 10.8.3 and 11.0.0 through 11.3.0. It stems from a flaw in the AWS4-HMAC authorization method within the HTTP component, allowing remote attackers to gain unauthorized access to systems running unpatched versions of the software via unauthenticated HTTP requests. The vulnerability allows attackers to impersonate any known or guessable user, including the "crushadmin" account, by sending a manipulated Authorization header. The server initially verifies user existence without requiring a password, enabling session authentication through HMAC verification before a subsequent user verification check. This bypass can lead to a full compromise of the system by obtaining an administrative account.

Description
CrushFTP 10 before 10.8.4 and 11 before 11.3.1 allows authentication bypass and takeover of the crushadmin account (unless a DMZ proxy instance is used), as exploited in the wild in March and April 2025, aka "Unauthenticated HTTP(S) port access." A race condition exists in the AWS4-HMAC (compatible with S3) authorization method of the HTTP component of the FTP server. The server first verifies the existence of the user by performing a call to login_user_pass() with no password requirement. This will authenticate the session through the HMAC verification process and up until the server checks for user verification once more. The vulnerability can be further stabilized, eliminating the need for successfully triggering a race condition, by sending a mangled AWS4-HMAC header. By providing only the username and a following slash (/), the server will successfully find a username, which triggers the successful anypass authentication process, but the server will fail to find the expected SignedHeaders entry, resulting in an index-out-of-bounds error that stops the code from reaching the session cleanup. Together, these issues make it trivial to authenticate as any known or guessable user (e.g., crushadmin), and can lead to a full compromise of the system by obtaining an administrative account.
Source
cve@mitre.org
NVD status
Analyzed

Risk scores

CVSS 3.1

Type
Primary
Base score
9.8
Impact score
5.9
Exploitability score
3.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity
CRITICAL

Known exploits

Data from CISA

Vulnerability name
CrushFTP Authentication Bypass Vulnerability
Exploit added on
Apr 7, 2025
Exploit action due
Apr 28, 2025
Required action
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Weaknesses

cve@mitre.org
CWE-305
nvd@nist.gov
NVD-CWE-Other

Social media

Hype score
Not currently trending
  1. GitHub - ghostsec420/ShatteredFTP: Shattered is a tool and POC for the new CrushedFTP vulns, CVE Exploit Script: CVE-2025-2825 vs CVE-2025-31161 https://t.co/EsmLV1fo1b

    @akaclandestine

    20 Apr 2025

    2063 Impressions

    11 Retweets

    42 Likes

    18 Bookmarks

    0 Replies

    0 Quotes

  2. 🚨 Attention IT teams and cybersecurity pros! A critical authentication bypass vulnerability (CVE-2025-31161) has been discovered in CrushFTP, affecting versions 10.0.0–10.8.3 and 11.0.0–11.3.0. This flaw is actively exploited in ransomware attacks, allowing unauthenticated

    @zerodailyme

    19 Apr 2025

    28 Impressions

    1 Retweet

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  3. [1Day1Line] CVE-2025-31161: Authentication Bypass Vulnerability in CrushFTP via Parameter Overloading https://t.co/riCEAUO6Db Hello. Today’s 1Day1Line is about a CrushFTP vulnerability that sparked controversy after being assigned two CVEs — CVE-2025-31161 and CVE-2025-2825.

    @hackyboiz

    19 Apr 2025

    930 Impressions

    5 Retweets

    11 Likes

    6 Bookmarks

    0 Replies

    0 Quotes

  4. Actively exploited CVE : CVE-2025-31161

    @transilienceai

    18 Apr 2025

    11 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  5. CISA and cybersecurity experts are sounding the alarm: Hackers are actively exploiting a critical vulnerability (CVE-2025-31161) in CrushFTP, a file transfer tool used by thousands of companies to move sensitive data. https://t.co/5xDnT49LO3 #CyberSecurity #CrushFTP

    @onestepsecureit

    18 Apr 2025

    3 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  6. Actively exploited CVE : CVE-2025-31161

    @transilienceai

    18 Apr 2025

    12 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  7. 😈🪰 Villain of the Week 🪰😈 An authentication bypass vulnerability, CVE-2025-31161, has been identified in CrushFTP versions 10.0.0 to 10.8.3 and 11.0.0 to 11.3.0. Researchers have reported active, in-the-wild exploitation of this CVE. ☠️ Exploiting this vulnerability could h

    @vicariusltd

    17 Apr 2025

    59 Impressions

    1 Retweet

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  8. Actively exploited CVE : CVE-2025-31161

    @transilienceai

    16 Apr 2025

    24 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  9. Actively exploited CVE : CVE-2025-31161

    @transilienceai

    14 Apr 2025

    27 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  10. Actively exploited CVE : CVE-2025-31161

    @transilienceai

    13 Apr 2025

    22 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  11. Actively exploited CVE : CVE-2025-31161

    @transilienceai

    12 Apr 2025

    23 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  12. 🚨 New plugin for CrushFTP's CVE-2025-2825/CVE-2025-31161 is up. While enumerating users to validate vulnerable instances we noticed a pattern. It's on all instances we scanned for, can you see it? What do you make of it? https://t.co/YpesS10A1N

    @leak_ix

    11 Apr 2025

    1007 Impressions

    4 Retweets

    7 Likes

    7 Bookmarks

    0 Replies

    0 Quotes

  13. Actively exploited CVE : CVE-2025-31161

    @transilienceai

    11 Apr 2025

    16 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  14. CrushFTP Vulnerability CVE-2025-31161: Exploitation Risks Rise https://t.co/1Uj6puRUN5

    @vault33org

    10 Apr 2025

    14 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  15. 米国サイバーセキュリティ・社会基盤安全保障庁(CISA)の既知の悪用された脆弱性カタログで、Windows CLFSドライバの脆弱性CVE-2025-29824と、CrushFTPの脆弱性CVE-2025-31161がランサムウェアに悪用されたことが確認された。 https://t.co/yygT1Uwj2s

    @__kokumoto

    9 Apr 2025

    925 Impressions

    0 Retweets

    6 Likes

    2 Bookmarks

    3 Replies

    0 Quotes

  16. 🗞️ CISA Flags CrushFTP Flaw as Actively Exploited, Adds to KEV Catalog CISA has added a critical CrushFTP flaw (CVE-2025-31161) to its KEV catalog after it was confirmed to have been exploited in the wild since March 30—over 815 servers are still vulnerable! Federal agencies ht

    @gossy_84

    9 Apr 2025

    56 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  17. 🚨 Vulnerabilidad en CrushFTP (CVE-2025-31161, CVSS 9.8) se está explotando activamente https://t.co/JTOOPQyPbj https://t.co/U29qt9tw91

    @elhackernet

    9 Apr 2025

    1591 Impressions

    1 Retweet

    7 Likes

    1 Bookmark

    0 Replies

    0 Quotes

  18. Latest Known Exploited Vulnerabilities (#KEV) : #CVE-2025-31161 #CrushFTP Authentication Bypass Vulnerability https://t.co/CrZEoWhAos

    @ScyScan

    8 Apr 2025

    6 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  19. 🚨 CISA KEV Alert: A critical flaw in CrushFTP (CVE-2025-31161) 🚨 Now listed in its catalog enables attackers to bypass authentication and seize control of the crushadmin account. 🛡️Read out annotated article at: https://t.co/UrVW4rQQth #Infosec #CISA #CyberSecurity https

    @BaseFortify

    8 Apr 2025

    40 Impressions

    1 Retweet

    1 Like

    0 Bookmarks

    2 Replies

    0 Quotes

  20. A critical authentication bypass vulnerability in CrushFTP (CVE-2025-31161) allows unauthenticated remote access. Organizations using affected versions should patch immediately to prevent exploitation and system compromise. https://t.co/tC6Gp3pax3

    @toptechgh

    8 Apr 2025

    39 Impressions

    1 Retweet

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  21. CISA has added a critical CrushFTP vulnerability (CVE-2025-31161) to its KEV catalog after confirmed exploitation. Affects sectors like marketing and retail. Stay vigilant! 🔒🛡️ #CISA #CrushFTP #USA link: https://t.co/zBT2ScAb5x https://t.co/xnalB17c0t

    @TweetThreatNews

    8 Apr 2025

    13 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  22. CrushFTP flaw (CVE-2025-31161, CVSS 9.8) is being actively exploited. Full system takeover via authentication bypass (no login needed) —First attacks seen March 30 —815 vulnerable servers — Targets: marketing, retail, semiconductor sectors — Malware used: MeshAgent, Telegram ht

    @TheHackersNews

    8 Apr 2025

    74187 Impressions

    43 Retweets

    107 Likes

    18 Bookmarks

    2 Replies

    2 Quotes

  23. 🛡️ We added CrushFTP authentication bypass vulnerability CVE-2025-31161 to our Known Exploited Vulnerabilities Catalog. Visit https://t.co/myxOwap1Tf & apply mitigations to protect your org from cyberattacks. #Cybersecurity #InfoSec https://t.co/igvl44p7D8

    @CISACyber

    7 Apr 2025

    366 Impressions

    2 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    1 Quote

  24. Huntress researchers recently analyzed attacks involving CVE-2025-31161, a critical authentication bypass flaw in CrushFTP. 💡 We observed specific post-exploitation activity used by threat actors leveraging the flaw in the wild https://t.co/hHEcVUjXx0

    @HuntressLabs

    7 Apr 2025

    1446 Impressions

    2 Retweets

    18 Likes

    3 Bookmarks

    1 Reply

    0 Quotes

  25. #threatreport #MediumCompleteness CrushFTP CVE-2025-31161 Auth Bypass and Post-Exploitation | 06-04-2025 Source: https://t.co/iRymS3Stkg Key details below ↓ 💀Threats: Meshcentral_tool, Anydesk_tool, Meshagent_tool, 🏭Industry: Semiconductor_industry, Retail 🔓CVEs: https://t.

    @rst_cloud

    6 Apr 2025

    55 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  26. 🚨 CVE-2025-31161 ⚠️🔴 CRITICAL (9.8) 🏢 CrushFTP - CrushFTP 🏗️ 10 🔗 https://t.co/7DlRgqGQwN 🔗 https://t.co/sQCCm5EiIu #CyberCron #VulnAlert #InfoSec https://t.co/qGFVeL4haB

    @cybercronai

    4 Apr 2025

    18 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  27. We wrote up what @HuntressLabs has been seeing for the CrushFTP authentication bypass: CVE-2025-31161 (or CVE-2025-2825, whichever side of the bed you woke up on) leading to MeshCentral agents, AnyDesk, and neato "TelegramBot" malware. Patch plz! ✌️ https://t.co/Ax4cJjgONF https:

    @_JohnHammond

    4 Apr 2025

    9463 Impressions

    31 Retweets

    166 Likes

    28 Bookmarks

    2 Replies

    0 Quotes

  28. pwning my FTP server is a weird way to say you have a Crush on me but okay 🥰 anyways check out our analysis of some CrushFTP CVE-2025-31161 post exploitation activity! https://t.co/gUPHQRZUEG

    @birchb0y

    4 Apr 2025

    10711 Impressions

    34 Retweets

    135 Likes

    24 Bookmarks

    3 Replies

    1 Quote

  29. CVE-2025-31161 is the latest example of a critical severity authentication bypass vulnerability in CrushFTP, a growing trend we’re seeing from attackers targeting managed file transfer (MFT) platforms. https://t.co/kLgLN019bn

    @HuntressLabs

    4 Apr 2025

    3036 Impressions

    9 Retweets

    27 Likes

    3 Bookmarks

    1 Reply

    1 Quote

  30. CVE-2025-31161 CrushFTP 10 before 10.8.4 and 11 before 11.3.1 allows authentication bypass and takeover of the crushadmin account (unless a DMZ proxy instance is used), as exploited… https://t.co/gTFCg97kaN

    @CVEnew

    4 Apr 2025

    334 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  31. CrushFTPのファイル転送サーバーに存在する認証バイパスの脆弱性(CVE-2025-31161)は、認証なしでHTTP(S)ポート経由のアクセスを可能にする重大な欠陥であり、CVSSスコアは9.8と非常に高い。

    @yousukezan

    3 Apr 2025

    484 Impressions

    0 Retweets

    1 Like

    2 Bookmarks

    0 Replies

    0 Quotes

  32. [CVE-2025-31161: CRITICAL] Vulnerability in CrushFTP allows for cyber attackers to bypass authentication and take over the crushadmin account, exploited in the wild in March and April 2025. #cybersecurity#cybersecurity,#vulnerability https://t.co/LqCAdnWElH https://t.co/JpulMDZtd

    @CveFindCom

    3 Apr 2025

    61 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  33. Two CVEs, One Critical Flaw: Inside the CrushFTP Vulnerability Controversy - (CVE-2025-31161 vs. CVE-2025-2825) https://t.co/89A8CpEzLo

    @SecurityWeek

    3 Apr 2025

    1697 Impressions

    11 Retweets

    15 Likes

    2 Bookmarks

    1 Reply

    0 Quotes

  34. 🚨 CVE Alert: Critical CrushFTP Authentication Bypass Vulnerability🚨 Vulnerability Details: CVE-2025-31161 (CVSS v3 9.8/10) CrushFTP Authentication Bypass Vulnerability Impact: A successful exploit of CVE-2025-31161 may allow unauthenticated attackers to gain unauthorized http

    @CyberxtronTech

    3 Apr 2025

    72 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  35. CrushFTP Blames Security Firms for Fast Exploitation of Vulnerability Shadowserver has started seeing exploitation attempts aimed at a CrushFTP vulnerability tracked as CVE-2025-2825 and CVE-2025-31161. https://t.co/qyj56WI1bR https://t.co/aUSE1iJ8Zg

    @persistsec

    1 Apr 2025

    26 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

Configurations