Critical CrushFTP Authentication Bypass Vulnerability CVE-2025-31161: What You Need to Know

CVE-2025-31161 is a critical authentication bypass vulnerability that affects CrushFTP versions 10.0.0 through 10.8.3 and 11.0.0 through 11.3.0.¹ This vulnerability allows unauthenticated attackers to bypass authentication and gain unauthorized access to the file transfer system, potentially leading to complete system compromise.²

Impact and Risk

The vulnerability is rated with a CVSS score of 9.8, indicating critical severity.¹ Attackers can exploit this vulnerability to:²

1. Bypass authentication mechanisms
2. Gain unauthorized access to file transfer systems
3. Potentially execute arbitrary code
4. Access sensitive data
5. Use the system as a pivot point for further attacks

Current Status

• Exploitation Status: Actively exploited in ransomware campaigns.³
• Detection: Added to CISA's Known Exploited Vulnerabilities catalog on April 7, 2025.³
• Mitigation: Immediate patching required.⁴

Technical Details

The vulnerability exists in the way CrushFTP handles S3-style authentication headers.² Specifically:

1. The system incorrectly accepts the "crushadmin/" credential as valid without proper password verification.²
2. Attackers can exploit this by:
   • Using a spoofed AWS header
   • Crafting a specific 44-character CrushAuth cookie value
   • Manipulating the c2f parameter

What You Need to Do

1. Immediate Action:

   • Update to CrushFTP version 11.2.3 or 10.8.3 immediately
   • These versions contain the security fix

2. Detection:

   • Monitor for unauthorized access attempts
   • Check system logs for suspicious activity
   • Implement network monitoring for exploitation attempts

3. Prevention:

   • Apply the security update as soon as possible
   • Consider disabling S3 protocol if not needed
   • Implement additional authentication layers
   • Regularly audit system access logs

Timeline

• March 26, 2025: NVD publishes vulnerability details.¹
• March 26, 2025: CrushFTP releases security updates.⁴
• March 27, 2025: Security advisories begin circulating.²
• March 28, 2025: ProjectDiscovery publishes detailed analysis.²
• April 7, 2025: CISA adds to KEV catalog.³
• April 13, 2025: Widespread exploitation confirmed.³

Final Thoughts

The rapid exploitation of CVE-2025-31161 highlights the critical importance of timely patch management and vigilant monitoring for all organizations running file transfer solutions.

With this vulnerability actively leveraged in ransomware campaigns and officially recognized by CISA and NIST, it is essential to prioritize immediate upgrades to the fixed CrushFTP versions (11.2.3 or 10.8.3) and to review system logs for any signs of compromise.

Ongoing awareness of vendor advisories and authoritative threat intelligence sources remains vital for maintaining a strong security posture. For further technical details and remediation guidance, consult the official advisories and the resources cited below.

Related Articles

• Apple Releases Emergency Patches for Three Actively Exploited Zero-Day Vulnerabilities
• Critical Microsoft Zero-Day Vulnerability CVE-2025-29824