Known Exploited Vulnerability
9.8
CRITICAL
CVE-2025-31161
CrushFTP Authentication Bypass Vulnerability - [Actively Exploited]
Description

CrushFTP 10 before 10.8.4 and 11 before 11.3.1 allows authentication bypass and takeover of the crushadmin account (unless a DMZ proxy instance is used), as exploited in the wild in March and April 2025, aka "Unauthenticated HTTP(S) port access." A race condition exists in the AWS4-HMAC (compatible with S3) authorization method of the HTTP component of the FTP server. The server first verifies the existence of the user by performing a call to login_user_pass() with no password requirement. This will authenticate the session through the HMAC verification process and up until the server checks for user verification once more. The vulnerability can be further stabilized, eliminating the need for successfully triggering a race condition, by sending a mangled AWS4-HMAC header. By providing only the username and a following slash (/), the server will successfully find a username, which triggers the successful anypass authentication process, but the server will fail to find the expected SignedHeaders entry, resulting in an index-out-of-bounds error that stops the code from reaching the session cleanup. Together, these issues make it trivial to authenticate as any known or guessable user (e.g., crushadmin), and can lead to a full compromise of the system by obtaining an administrative account.

INFO

Published Date :

April 3, 2025, 8:15 p.m.

Last Modified :

April 21, 2025, 9:03 p.m.

Remotely Exploitable :

Yes !

Impact Score :

5.9

Exploitability Score :

3.9
CISA Notification
CISA KEV (Known Exploited Vulnerabilities)

For the benefit of the cybersecurity community and network defenders—and to help every organization better manage vulnerabilities and keep pace with threat activity—CISA maintains the authoritative source of vulnerabilities that have been exploited in the wild.

Description :

CrushFTP contains an authentication bypass vulnerability in the HTTP authorization header that allows a remote unauthenticated attacker to authenticate to any known or guessable user account (e.g., crushadmin), potentially leading to a full compromise.

Required Action :

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Notes :

https://www.crushftp.com/crush11wiki/Wiki.jsp?page=Update ; https://nvd.nist.gov/vuln/detail/CVE-2025-31161

Public PoC/Exploit Available at Github

CVE-2025-31161 has a 15 public PoC/Exploit available at Github. Go to the Public Exploits tab to see the list.

Affected Products

The following products are affected by CVE-2025-31161 vulnerability. Even if cvefeed.io is aware of the exact versions of the products that are affected, the information is not represented in the table below.

ID Vendor Product Action
1 Crushftp crushftp

We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).

CVE-2025-31161

Python

Updated: 5 hours, 56 minutes ago
0 stars 0 fork 0 watcher
Born at : June 6, 2025, 9:14 a.m. This repo has been linked 2 different CVEs too.

None

Dockerfile Shell CSS HTML JavaScript XSLT ASP.NET Less

Updated: 3 days, 18 hours ago
0 stars 0 fork 0 watcher
Born at : May 26, 2025, 8:45 p.m. This repo has been linked 1 different CVEs too.

🛡️ CVE-2025-31161 - CrushFTP User Creation Authentication Bypass Exploit

Python

Updated: 1 week, 6 days ago
0 stars 0 fork 0 watcher
Born at : May 23, 2025, 9:04 p.m. This repo has been linked 1 different CVEs too.

None

Updated: 3 weeks, 2 days ago
0 stars 1 fork 1 watcher
Born at : May 13, 2025, 5:40 p.m. This repo has been linked 1 different CVEs too.

CVE-2025-31161, a critical authentication bypass vulnerability in CrushFTP WebInterface. This tool allows security researchers to scan for vulnerable instances and verify the security posture of CrushFTP servers.

Python

Updated: 1 month ago
1 stars 0 fork 0 watcher
Born at : May 1, 2025, 9:57 p.m. This repo has been linked 1 different CVEs too.

CVE-2025-31161 python exploit

Python

Updated: 1 month, 1 week ago
0 stars 0 fork 0 watcher
Born at : April 24, 2025, 10:09 p.m. This repo has been linked 2 different CVEs too.

Official Nuclei template for CVE-2025-31161 (formerly CVE-2025-2825)

Updated: 1 month, 1 week ago
0 stars 0 fork 0 watcher
Born at : April 24, 2025, 10:25 a.m. This repo has been linked 2 different CVEs too.

Проверка наличие пути /WebInterface/function

Updated: 1 month, 1 week ago
0 stars 0 fork 0 watcher
Born at : April 24, 2025, 7:52 a.m. This repo has been linked 1 different CVEs too.

CrushFTP CVE-2025-31161 Exploit Tool 🔓

Python

Updated: 1 month, 2 weeks ago
1 stars 0 fork 0 watcher
Born at : April 21, 2025, 11:57 p.m. This repo has been linked 1 different CVEs too.

Shattered is a tool and POC for the new CrushedFTP vulns, CVE Exploit Script: CVE-2025-2825 vs CVE-2025-31161

Python

Updated: 4 weeks, 1 day ago
10 stars 1 fork 1 watcher
Born at : April 11, 2025, 10:54 a.m. This repo has been linked 2 different CVEs too.

None

Updated: 1 month, 3 weeks ago
1 stars 0 fork 0 watcher
Born at : April 9, 2025, 2:38 p.m. This repo has been linked 1 different CVEs too.

Proof of Concept for CVE-2025-31161 / CVE-2025-2825

Python

Updated: 1 month, 1 week ago
5 stars 3 fork 3 watcher
Born at : April 8, 2025, 3:37 p.m. This repo has been linked 2 different CVEs too.

CISA Bot is a GitHub bot that automatically monitors the Cybersecurity and Infrastructure Security Agency (CISA) Known Exploited Vulnerabilities (KEV) Catalog. When new vulnerabilities are published in the KEV, the bot creates GitHub issues in this repository with detailed information about each vulnerability.

Python

Updated: 6 days, 7 hours ago
1 stars 0 fork 0 watcher
Born at : Oct. 29, 2024, 10:19 a.m. This repo has been linked 151 different CVEs too.

Ostorlab KEV: One-command to detect most remotely known exploitable vulnerabilities. Sourced from CISA KEV, Google's Tsunami, Ostorlab's Asteroid and Bug Bounty programs.

cisa-kev vulnerability 0day cisa exploits

Updated: 4 weeks, 1 day ago
564 stars 38 fork 38 watcher
Born at : April 19, 2022, 8:58 a.m. This repo has been linked 1277 different CVEs too.

📡 PoC auto collect from GitHub. ⚠️ Be careful Malware.

security cve exploit poc vulnerability

Updated: 1 month, 1 week ago
6873 stars 1158 fork 1158 watcher
Born at : Dec. 8, 2019, 1:03 p.m. This repo has been linked 848 different CVEs too.

Results are limited to the first 15 repositories due to potential performance issues.

The following list is the news that have been mention CVE-2025-31161 vulnerability anywhere in the article.

  • The Cyber Express
HPE StoreOnce Faces Critical CVE-2025-37093 Vulnerability — Urges Immediate Patch Upgrade

Hewlett Packard Enterprise (HPE) has issued a new security advisory addressing eight newly discovered vulnerabilities in its StoreOnce data backup and deduplication platform. Among these, the most sev ... Read more

Published Date: Jun 04, 2025 (2 days, 4 hours ago)
  • The Cyber Express
Yokogawa Recorder Vulnerability Could Let Attackers Hijack Critical Industrial Systems

A high-severity vulnerability has been discovered in a range of industrial recorder and data acquisition systems produced by Yokogawa Electric Corporation, a Japan-based automation and measurement equ ... Read more

Published Date: Apr 21, 2025 (1 month, 2 weeks ago)
  • The Hacker News
Gladinet’s Triofox and CentreStack Under Active Exploitation via Critical RCE Vulnerability

Vulnerability / Endpoint Security A recently disclosed security flaw in Gladinet CentreStack also impacts its Triofox remote access and collaboration solution, according to Huntress, with seven differ ... Read more

Published Date: Apr 15, 2025 (1 month, 3 weeks ago)
  • huntress.com
CVE-2025-30406 - Critical Gladinet CentreStack & Triofox Vulnerability Exploited In The Wild

Special thanks to Craig Sweeney, Hayden Drummond, Michael Tigges, Tanner Filip, Jevon Ang, Jamie Dumas, Stephanie Fairless, and Lindsey Welch for their contributions and support for this writeup. On F ... Read more

Published Date: Apr 14, 2025 (1 month, 3 weeks ago)
  • The Cyber Express
100,000+ WordPress Sites at Risk as SureTriggers Exploit Goes Live

A recently uncovered SureTriggers vulnerability has put more than 100,000 websites at risk, highlighting once again how critical plugin security is for WordPress site administrators. The vulnerability ... Read more

Published Date: Apr 11, 2025 (1 month, 3 weeks ago)
  • Dark Reading
CrushFTP Exploitation Continues Amid Disclosure Dispute

Source: lumerb via Alamy Stock PhotoExploitation activity continues against a critical vulnerability in CrushFTP file transfer software, which has been mired in an ongoing disclosure dispute.On April ... Read more

Published Date: Apr 09, 2025 (1 month, 3 weeks ago)
  • databreaches.net
CISA, experts warn of Crush file transfer attacks after a controversial disclosure

Jonathan Greig reports on another vulnerability affecting file transfer software that has been exploited soon after disclosure. In this case, though, there’s some contentious statements about responsi ... Read more

Published Date: Apr 09, 2025 (1 month, 4 weeks ago)
  • TheCyberThrone
CISA KEV Catalog Update Part II – April 2025

The Cybersecurity and Infrastructure Security Agency (CISA) has recently updated its Known Exploited Vulnerabilities (KEV) Catalog, adding several critical vulnerabilities that are actively being expl ... Read more

Published Date: Apr 09, 2025 (1 month, 4 weeks ago)
  • The Cyber Express
CERT-In Flags Info Disclosure Flaw in TP-Link Tapo H200 Smart Hub

A new vulnerability has been identified in the TP-Link Tapo H200 V1 IoT Smart Hub that could allow attackers to access sensitive information, particularly Wi-Fi credentials. The Computer Emergency Res ... Read more

Published Date: Apr 09, 2025 (1 month, 4 weeks ago)
  • The Cyber Express
Remote Code Execution & Privilege Escalation: Two New Threats in CISA’s KEV

The Cybersecurity and Infrastructure Security Agency (CISA) has recently updated its Known Exploited Vulnerabilities (KEV) Catalog, adding two new vulnerabilities that are actively being exploited in ... Read more

Published Date: Apr 09, 2025 (1 month, 4 weeks ago)
  • Cyber Security News
CISA Warns of CrushFTP Authentication Bypass Vulnerability Exploited in Attacks

The Cybersecurity and Infrastructure Security Agency (CISA) has added a critical authentication bypass vulnerability in CrushFTP file transfer software to its Known Exploited Vulnerabilities (KEV) Cat ... Read more

Published Date: Apr 09, 2025 (1 month, 4 weeks ago)
  • The Cyber Express
Microsoft Patch Tuesday April 2025: One Zero-Day, 11 High-Risk Flaws

Microsoft Patch Tuesday for April 2025 included fixes for 135 vulnerabilities in all, including one actively exploited zero-day and an additional 11 high-risk vulnerabilities. In all, Patch Tuesday Ap ... Read more

Published Date: Apr 08, 2025 (1 month, 4 weeks ago)
  • The Cyber Express
CISA Warns of CrushFTP Exploit Letting Attackers Bypass Authentication

The Cybersecurity and Infrastructure Security Agency (CISA) has recently added a new vulnerability to its Known Exploited Vulnerabilities Catalog. The vulnerability, identified as CVE-2025-31161, is a ... Read more

Published Date: Apr 08, 2025 (1 month, 4 weeks ago)
  • security.nl
Criminelen claimen grootschalige, gevoelige datadiefstal via CrushFTP-servers

Criminelen claimen op internet dat ze via kwetsbare CrushFTP-servers op grote schaal gevoelige informatie van bedrijven wereldwijd hebben gestolen. Getroffen ondernemingen worden de komende dagen bena ... Read more

Published Date: Apr 08, 2025 (1 month, 4 weeks ago)
  • The Hacker News
CISA Adds CrushFTP Vulnerability to KEV Catalog Following Confirmed Active Exploitation

Cyber Attack / Vulnerability A recently disclosed critical security flaw impacting CrushFTP has been added by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to its Known Exploited Vu ... Read more

Published Date: Apr 08, 2025 (1 month, 4 weeks ago)
  • huntress.com
CrushFTP CVE-2025-31161 Auth Bypass and Post-Exploitation

UPDATED 04/08/2025 @ 3pm ET TL;DR: CVE-2025-31161 is a critical severity vulnerability allowing attackers to control how user authentication is handled by CrushFTP managed file transfer (MFT) software ... Read more

Published Date: Apr 04, 2025 (2 months ago)
  • Dark Reading
Disclosure Drama Clouds CrushFTP Vulnerability Exploitation

Aleksey Funtap via Alamy Stock PhotoA critical CrushFTP vulnerability now under exploitation in the wild has become mired in controversy and confusion.On March 31, the Shadowserver Foundation reported ... Read more

Published Date: Apr 03, 2025 (2 months ago)

The following table lists the changes that have been made to the CVE-2025-31161 vulnerability over time.

Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.

  • Modified Analysis by [email protected]

    Apr. 21, 2025

    Action Type Old Value New Value
    Added Reference Type CVE: https://www.vicarius.io/vsociety/posts/cve-2025-31161-detect-crushftp-vulnerability Types: Exploit, Third Party Advisory
    Added Reference Type CVE: https://www.vicarius.io/vsociety/posts/cve-2025-31161-mitigate-crushftp-vulnerability Types: Mitigation, Third Party Advisory
  • CVE Modified by af854a3a-2127-422b-91ae-364da2661108

    Apr. 21, 2025

    Action Type Old Value New Value
    Added Reference https://www.vicarius.io/vsociety/posts/cve-2025-31161-detect-crushftp-vulnerability
    Added Reference https://www.vicarius.io/vsociety/posts/cve-2025-31161-mitigate-crushftp-vulnerability
  • Initial Analysis by [email protected]

    Apr. 08, 2025

    Action Type Old Value New Value
    Added CVSS V3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    Added CWE NVD-CWE-Other
    Added CPE Configuration OR *cpe:2.3:a:crushftp:crushftp:*:*:*:*:*:*:*:* versions from (including) 10.0.0 up to (excluding) 10.8.4 *cpe:2.3:a:crushftp:crushftp:*:*:*:*:*:*:*:* versions from (including) 11.0.0 up to (excluding) 11.3.1
    Added Reference Type CVE: https://attackerkb.com/topics/k0EgiL9Psz/cve-2025-2825/rapid7-analysis Types: Exploit, Third Party Advisory
    Added Reference Type MITRE: https://crushftp.com/crush11wiki/Wiki.jsp?page=Update#section-Update-VulnerabilityInfo Types: Vendor Advisory
    Added Reference Type MITRE: https://outpost24.com/blog/crushftp-auth-bypass-vulnerability/ Types: Third Party Advisory
    Added Reference Type CVE: https://projectdiscovery.io/blog/crushftp-authentication-bypass Types: Exploit, Third Party Advisory
    Added Reference Type CVE: https://www.darkreading.com/vulnerabilities-threats/disclosure-drama-clouds-crushftp-vulnerability-exploitation Types: Press/Media Coverage
    Added Reference Type CVE: https://www.huntress.com/blog/crushftp-cve-2025-31161-auth-bypass-and-post-exploitation Types: Exploit, Third Party Advisory
    Added Reference Type CVE: https://www.infosecurity-magazine.com/news/crushftp-flaw-exploited-disclosure/ Types: Press/Media Coverage
  • CVE CISA KEV Update by 9119a7d8-5eab-497f-8521-727c672e3725

    Apr. 08, 2025

    Action Type Old Value New Value
    Added Date Added 2025-04-07
    Added Due Date 2025-04-28
    Added Required Action Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
    Added Vulnerability Name CrushFTP Authentication Bypass Vulnerability
  • CVE Modified by af854a3a-2127-422b-91ae-364da2661108

    Apr. 05, 2025

    Action Type Old Value New Value
    Added Reference https://www.infosecurity-magazine.com/news/crushftp-flaw-exploited-disclosure/
  • CVE Modified by af854a3a-2127-422b-91ae-364da2661108

    Apr. 05, 2025

    Action Type Old Value New Value
    Added Reference https://attackerkb.com/topics/k0EgiL9Psz/cve-2025-2825/rapid7-analysis
  • CVE Modified by af854a3a-2127-422b-91ae-364da2661108

    Apr. 05, 2025

    Action Type Old Value New Value
    Added Reference https://www.huntress.com/blog/crushftp-cve-2025-31161-auth-bypass-and-post-exploitation
  • CVE Modified by af854a3a-2127-422b-91ae-364da2661108

    Apr. 05, 2025

    Action Type Old Value New Value
    Added Reference https://www.darkreading.com/vulnerabilities-threats/disclosure-drama-clouds-crushftp-vulnerability-exploitation
  • New CVE Received by [email protected]

    Apr. 03, 2025

    Action Type Old Value New Value
    Added Description CrushFTP 10 before 10.8.4 and 11 before 11.3.1 allows authentication bypass and takeover of the crushadmin account (unless a DMZ proxy instance is used), as exploited in the wild in March and April 2025, aka "Unauthenticated HTTP(S) port access." A race condition exists in the AWS4-HMAC (compatible with S3) authorization method of the HTTP component of the FTP server. The server first verifies the existence of the user by performing a call to login_user_pass() with no password requirement. This will authenticate the session through the HMAC verification process and up until the server checks for user verification once more. The vulnerability can be further stabilized, eliminating the need for successfully triggering a race condition, by sending a mangled AWS4-HMAC header. By providing only the username and a following slash (/), the server will successfully find a username, which triggers the successful anypass authentication process, but the server will fail to find the expected SignedHeaders entry, resulting in an index-out-of-bounds error that stops the code from reaching the session cleanup. Together, these issues make it trivial to authenticate as any known or guessable user (e.g., crushadmin), and can lead to a full compromise of the system by obtaining an administrative account.
    Added CVSS V3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    Added CWE CWE-305
    Added Reference https://crushftp.com/crush11wiki/Wiki.jsp?page=Update#section-Update-VulnerabilityInfo
    Added Reference https://outpost24.com/blog/crushftp-auth-bypass-vulnerability/
  • CVE Modified by af854a3a-2127-422b-91ae-364da2661108

    Apr. 03, 2025

    Action Type Old Value New Value
    Added Reference https://projectdiscovery.io/blog/crushftp-authentication-bypass
EPSS is a daily estimate of the probability of exploitation activity being observed over the next 30 days. Following chart shows the EPSS score history of the vulnerability.
CWE - Common Weakness Enumeration

While CVE identifies specific instances of vulnerabilities, CWE categorizes the common flaws or weaknesses that can lead to vulnerabilities. CVE-2025-31161 is associated with the following CWEs:

Common Attack Pattern Enumeration and Classification (CAPEC)

Common Attack Pattern Enumeration and Classification (CAPEC) stores attack patterns, which are descriptions of the common attributes and approaches employed by adversaries to exploit the CVE-2025-31161 weaknesses.

CVSS31 - Vulnerability Scoring System
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
© cvefeed.io
Latest DB Update: Jun. 06, 2025 16:08