🔴 CVE-2025-31161

Critical authentication bypass vulnerability in CrushFTP server allows attackers to takeover admin accounts via malformed AWS4-HMAC headers. The vulnerability has been actively exploited in the wild and is listed in CISA KEV.

← Back to Overview
HIGH_RISK
Risk Level
9.8
CVSS Score
NETWORK
Attack Vector
Initial Access
ATT&CK Tactic
T1190 — Exploit Public-Facing Application
ATT&CK Technique
VERY_HIGH
Deployment Risk
Yes (+423d)
Ransomware

📋 Vulnerability Details

Data Source: CIRCL

Confidence: HIGH

Exploitation Method: DIRECT_NETWORK

CVE Published: 2025-04-03

Added to CISA KEV: 2025-04-07 4 DAYS BETWEEN CVE AND KEV

🎯 Recommendations:

🔍 Web Intelligence (Kagi · 2026-06-04)

CVE-2025-31161 is a critical authentication bypass vulnerability affecting CrushFTP software, which has been subject to active exploitation in the wild [1] [3].

Vulnerability Overview
  • Nature of Vulnerability: The flaw is an authentication bypass vulnerability stemming from a race condition in the AWS4-HMAC (S3-compatible) authorization method within the HTTP component of the CrushFTP server [1].
  • CVSS Score: 9.8 (Critical) [2].
Exploitation and Impact
  • Attack Method: It is a remote, unauthenticated attack that does not require user interaction [2].
  • Impact: Successful exploitation allows an attacker to bypass authentication and take over the `crushadmin` account, effectively granting full administrative control over the affected CrushFTP instance [1].
  • Active Exploitation: The vulnerability was observed being exploited in the wild starting in March and April 2025 [1] [3].
  • Post-Exploitation: Threat actors have been observed leveraging this access to deploy further malware, including tools like MeshCentral, to maintain persistence and conduct post-exploitation activities [3].
  • PoC Availability: Proof-of-concept (PoC) exploit code has been made publicly available, including tools capable of creating new administrative user accounts [2] [4].
Affected Versions and Mitigation
  • Affected Versions:
* CrushFTP 10: Versions before 10.8.4 [1] * CrushFTP 11: Versions before 11.3.1 [1]
  • Mitigation: Users are strongly advised to upgrade to version 10.8.4+ or 11.3.1+ immediately [2]. Additionally, using a DMZ proxy instance can help mitigate the risk of this specific authentication bypass [1].

Sources

  1. CVE-2025-31161 Detail - NVD

    CrushFTP 10 before 10.8.4 and 11 before 11.3.1 allows authentication bypass and takeover of the crushadmin account (unless a DMZ proxy instance is used) ... Secure .gov websites use HTTPS A lock () or https:// means you've safely connected to the .gov website. Share sensitive information only on off…

  2. Unauthenticated Auth Bypass Vulnerability in CrushFTP [CVE-2025 ...

    With a CVSS score of 9.8, this vulnerability allows unauthenticated remote attackers to bypass authentication. Researchers from OutPost24 initially discovered ... Date of Disclosure (source): March 21, 2025 Date Reported as Actively Exploited (source): April 7, 2025 CVE-2025-31161 (initially tracked…

  3. CrushFTP CVE-2025-31161 Auth Bypass and Post-Exploitation

    Huntress observed in-the-wild exploitation of CVE-2025-31161, an authentication bypass vulnerability in versions of CrushFTP and further ... Huntress observed in-the-wild exploitation of CVE-2025-31161, an authentication bypass vulnerability in versions of CrushFTP and further post-exploitation leve…

  4. Immersive-Labs-Sec/CVE-2025-31161 - GitHub

    This POC will exploit the authbypass vulnerability to create a new user account with Admin level permissions.

Generated by PatchNow Intelligence System

Analysis based on CIRCL.LU data, Claude AI assessment, and MITRE ATT&CK framework

📄 Download JSON Data | 📡 RSS Feed