AI description
CVE-2025-31161 is a critical authentication bypass vulnerability found in CrushFTP versions 10.0.0 through 10.8.3 and 11.0.0 through 11.3.0. It stems from a flaw in the AWS4-HMAC authorization method within the HTTP component, allowing remote attackers to gain unauthorized access to systems running unpatched versions of the software via unauthenticated HTTP requests. The vulnerability allows attackers to impersonate any known or guessable user, including the "crushadmin" account, by sending a manipulated Authorization header. The server initially verifies user existence without requiring a password, enabling session authentication through HMAC verification before a subsequent user verification check. This bypass can lead to a full compromise of the system by obtaining an administrative account.
- Description
- CrushFTP 10 before 10.8.4 and 11 before 11.3.1 allows authentication bypass and takeover of the crushadmin account (unless a DMZ proxy instance is used), as exploited in the wild in March and April 2025, aka "Unauthenticated HTTP(S) port access." A race condition exists in the AWS4-HMAC (compatible with S3) authorization method of the HTTP component of the FTP server. The server first verifies the existence of the user by performing a call to login_user_pass() with no password requirement. This will authenticate the session through the HMAC verification process and up until the server checks for user verification once more. The vulnerability can be further stabilized, eliminating the need for successfully triggering a race condition, by sending a mangled AWS4-HMAC header. By providing only the username and a following slash (/), the server will successfully find a username, which triggers the successful anypass authentication process, but the server will fail to find the expected SignedHeaders entry, resulting in an index-out-of-bounds error that stops the code from reaching the session cleanup. Together, these issues make it trivial to authenticate as any known or guessable user (e.g., crushadmin), and can lead to a full compromise of the system by obtaining an administrative account.
- Source
- cve@mitre.org
- NVD status
- Received
CVSS 3.1
- Type
- Secondary
- Base score
- 9.8
- Impact score
- 5.9
- Exploitability score
- 3.9
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- Severity
- CRITICAL
- cve@mitre.org
- CWE-305
Hype score is a measure of social media activity compared against trending CVEs from the past 12 months. Max score 100.
- Hype score
38
🚨 CVE-2025-31161 ⚠️🔴 CRITICAL (9.8) 🏢 CrushFTP - CrushFTP 🏗️ 10 🔗 https://t.co/7DlRgqGQwN 🔗 https://t.co/sQCCm5EiIu #CyberCron #VulnAlert #InfoSec https://t.co/qGFVeL4haB
@cybercronai
4 Apr 2025
18 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
We wrote up what @HuntressLabs has been seeing for the CrushFTP authentication bypass: CVE-2025-31161 (or CVE-2025-2825, whichever side of the bed you woke up on) leading to MeshCentral agents, AnyDesk, and neato "TelegramBot" malware. Patch plz! ✌️ https://t.co/Ax4cJjgONF https:
@_JohnHammond
4 Apr 2025
9463 Impressions
31 Retweets
166 Likes
28 Bookmarks
2 Replies
0 Quotes
pwning my FTP server is a weird way to say you have a Crush on me but okay 🥰 anyways check out our analysis of some CrushFTP CVE-2025-31161 post exploitation activity! https://t.co/gUPHQRZUEG
@birchb0y
4 Apr 2025
10711 Impressions
34 Retweets
135 Likes
24 Bookmarks
3 Replies
1 Quote
CVE-2025-31161 is the latest example of a critical severity authentication bypass vulnerability in CrushFTP, a growing trend we’re seeing from attackers targeting managed file transfer (MFT) platforms. https://t.co/kLgLN019bn
@HuntressLabs
4 Apr 2025
3036 Impressions
9 Retweets
27 Likes
3 Bookmarks
1 Reply
1 Quote
CVE-2025-31161 CrushFTP 10 before 10.8.4 and 11 before 11.3.1 allows authentication bypass and takeover of the crushadmin account (unless a DMZ proxy instance is used), as exploited… https://t.co/gTFCg97kaN
@CVEnew
4 Apr 2025
334 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CrushFTPのファイル転送サーバーに存在する認証バイパスの脆弱性(CVE-2025-31161)は、認証なしでHTTP(S)ポート経由のアクセスを可能にする重大な欠陥であり、CVSSスコアは9.8と非常に高い。
@yousukezan
3 Apr 2025
484 Impressions
0 Retweets
1 Like
2 Bookmarks
0 Replies
0 Quotes
[CVE-2025-31161: CRITICAL] Vulnerability in CrushFTP allows for cyber attackers to bypass authentication and take over the crushadmin account, exploited in the wild in March and April 2025. #cybersecurity#cybersecurity,#vulnerability https://t.co/LqCAdnWElH https://t.co/JpulMDZtd
@CveFindCom
3 Apr 2025
61 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Two CVEs, One Critical Flaw: Inside the CrushFTP Vulnerability Controversy - (CVE-2025-31161 vs. CVE-2025-2825) https://t.co/89A8CpEzLo
@SecurityWeek
3 Apr 2025
1697 Impressions
11 Retweets
15 Likes
2 Bookmarks
1 Reply
0 Quotes
🚨 CVE Alert: Critical CrushFTP Authentication Bypass Vulnerability🚨 Vulnerability Details: CVE-2025-31161 (CVSS v3 9.8/10) CrushFTP Authentication Bypass Vulnerability Impact: A successful exploit of CVE-2025-31161 may allow unauthenticated attackers to gain unauthorized http
@CyberxtronTech
3 Apr 2025
72 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CrushFTP Blames Security Firms for Fast Exploitation of Vulnerability Shadowserver has started seeing exploitation attempts aimed at a CrushFTP vulnerability tracked as CVE-2025-2825 and CVE-2025-31161. https://t.co/qyj56WI1bR https://t.co/aUSE1iJ8Zg
@persistsec
1 Apr 2025
26 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes