CVE-2025-31161
CrushFTP Authentication Bypass Vulnerability - [Actively Exploited]
Description
CrushFTP 10 before 10.8.4 and 11 before 11.3.1 allows authentication bypass and takeover of the crushadmin account (unless a DMZ proxy instance is used), as exploited in the wild in March and April 2025, aka "Unauthenticated HTTP(S) port access." A race condition exists in the AWS4-HMAC (compatible with S3) authorization method of the HTTP component of the FTP server. The server first verifies the existence of the user by performing a call to login_user_pass() with no password requirement. This will authenticate the session through the HMAC verification process and up until the server checks for user verification once more. The vulnerability can be further stabilized, eliminating the need for successfully triggering a race condition, by sending a mangled AWS4-HMAC header. By providing only the username and a following slash (/), the server will successfully find a username, which triggers the successful anypass authentication process, but the server will fail to find the expected SignedHeaders entry, resulting in an index-out-of-bounds error that stops the code from reaching the session cleanup. Together, these issues make it trivial to authenticate as any known or guessable user (e.g., crushadmin), and can lead to a full compromise of the system by obtaining an administrative account.
INFO
Published Date :
April 3, 2025, 8:15 p.m.
Last Modified :
April 21, 2025, 9:03 p.m.
Source :
[email protected]
Remotely Exploitable :
Yes !
Impact Score :
5.9
Exploitability Score :
3.9
CISA KEV (Known Exploited Vulnerabilities)
For the benefit of the cybersecurity community and network defenders—and to help every organization better manage vulnerabilities and keep pace with threat activity—CISA maintains the authoritative source of vulnerabilities that have been exploited in the wild.
CrushFTP contains an authentication bypass vulnerability in the HTTP authorization header that allows a remote unauthenticated attacker to authenticate to any known or guessable user account (e.g., crushadmin), potentially leading to a full compromise.
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
https://www.crushftp.com/crush11wiki/Wiki.jsp?page=Update ; https://nvd.nist.gov/vuln/detail/CVE-2025-31161
Public PoC/Exploit Available at Github
CVE-2025-31161 has a 15 public PoC/Exploit available at Github.
Go to the Public Exploits tab to see the list.
References to Advisories, Solutions, and Tools
Here, you will find a curated list of external links that provide in-depth
information, practical solutions, and valuable tools related to
CVE-2025-31161.
| URL | Resource |
|---|---|
| https://crushftp.com/crush11wiki/Wiki.jsp?page=Update#section-Update-VulnerabilityInfo | Vendor Advisory |
| https://outpost24.com/blog/crushftp-auth-bypass-vulnerability/ | Third Party Advisory |
| https://attackerkb.com/topics/k0EgiL9Psz/cve-2025-2825/rapid7-analysis | Exploit Third Party Advisory |
| https://projectdiscovery.io/blog/crushftp-authentication-bypass | Exploit Third Party Advisory |
| https://www.darkreading.com/vulnerabilities-threats/disclosure-drama-clouds-crushftp-vulnerability-exploitation | Press/Media Coverage |
| https://www.huntress.com/blog/crushftp-cve-2025-31161-auth-bypass-and-post-exploitation | Exploit Third Party Advisory |
| https://www.infosecurity-magazine.com/news/crushftp-flaw-exploited-disclosure/ | Press/Media Coverage |
| https://www.vicarius.io/vsociety/posts/cve-2025-31161-detect-crushftp-vulnerability | Exploit Third Party Advisory |
| https://www.vicarius.io/vsociety/posts/cve-2025-31161-mitigate-crushftp-vulnerability | Mitigation Third Party Advisory |
We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).
CVE-2025-31161
Python
None
Dockerfile Shell CSS HTML JavaScript XSLT ASP.NET Less
🛡️ CVE-2025-31161 - CrushFTP User Creation Authentication Bypass Exploit
Python
None
CVE-2025-31161, a critical authentication bypass vulnerability in CrushFTP WebInterface. This tool allows security researchers to scan for vulnerable instances and verify the security posture of CrushFTP servers.
Python
CVE-2025-31161 python exploit
Python
Official Nuclei template for CVE-2025-31161 (formerly CVE-2025-2825)
Проверка наличие пути /WebInterface/function
CrushFTP CVE-2025-31161 Exploit Tool 🔓
Python
Shattered is a tool and POC for the new CrushedFTP vulns, CVE Exploit Script: CVE-2025-2825 vs CVE-2025-31161
Python
None
Proof of Concept for CVE-2025-31161 / CVE-2025-2825
Python
CISA Bot is a GitHub bot that automatically monitors the Cybersecurity and Infrastructure Security Agency (CISA) Known Exploited Vulnerabilities (KEV) Catalog. When new vulnerabilities are published in the KEV, the bot creates GitHub issues in this repository with detailed information about each vulnerability.
Python
Ostorlab KEV: One-command to detect most remotely known exploitable vulnerabilities. Sourced from CISA KEV, Google's Tsunami, Ostorlab's Asteroid and Bug Bounty programs.
cisa-kev vulnerability 0day cisa exploits
📡 PoC auto collect from GitHub. ⚠️ Be careful Malware.
security cve exploit poc vulnerability
Results are limited to the first 15 repositories due to potential performance issues.
The following list is the news that have been mention
CVE-2025-31161 vulnerability anywhere in the article.
-
The Cyber Express
HPE StoreOnce Faces Critical CVE-2025-37093 Vulnerability — Urges Immediate Patch Upgrade
Hewlett Packard Enterprise (HPE) has issued a new security advisory addressing eight newly discovered vulnerabilities in its StoreOnce data backup and deduplication platform. Among these, the most sev ... Read more
-
The Cyber Express
Yokogawa Recorder Vulnerability Could Let Attackers Hijack Critical Industrial Systems
A high-severity vulnerability has been discovered in a range of industrial recorder and data acquisition systems produced by Yokogawa Electric Corporation, a Japan-based automation and measurement equ ... Read more
-
The Hacker News
Gladinet’s Triofox and CentreStack Under Active Exploitation via Critical RCE Vulnerability
Vulnerability / Endpoint Security A recently disclosed security flaw in Gladinet CentreStack also impacts its Triofox remote access and collaboration solution, according to Huntress, with seven differ ... Read more
-
huntress.com
CVE-2025-30406 - Critical Gladinet CentreStack & Triofox Vulnerability Exploited In The Wild
Special thanks to Craig Sweeney, Hayden Drummond, Michael Tigges, Tanner Filip, Jevon Ang, Jamie Dumas, Stephanie Fairless, and Lindsey Welch for their contributions and support for this writeup. On F ... Read more
-
The Cyber Express
100,000+ WordPress Sites at Risk as SureTriggers Exploit Goes Live
A recently uncovered SureTriggers vulnerability has put more than 100,000 websites at risk, highlighting once again how critical plugin security is for WordPress site administrators. The vulnerability ... Read more
-
Dark Reading
CrushFTP Exploitation Continues Amid Disclosure Dispute
Source: lumerb via Alamy Stock PhotoExploitation activity continues against a critical vulnerability in CrushFTP file transfer software, which has been mired in an ongoing disclosure dispute.On April ... Read more
-
databreaches.net
CISA, experts warn of Crush file transfer attacks after a controversial disclosure
Jonathan Greig reports on another vulnerability affecting file transfer software that has been exploited soon after disclosure. In this case, though, there’s some contentious statements about responsi ... Read more
-
TheCyberThrone
CISA KEV Catalog Update Part II – April 2025
The Cybersecurity and Infrastructure Security Agency (CISA) has recently updated its Known Exploited Vulnerabilities (KEV) Catalog, adding several critical vulnerabilities that are actively being expl ... Read more
-
The Cyber Express
CERT-In Flags Info Disclosure Flaw in TP-Link Tapo H200 Smart Hub
A new vulnerability has been identified in the TP-Link Tapo H200 V1 IoT Smart Hub that could allow attackers to access sensitive information, particularly Wi-Fi credentials. The Computer Emergency Res ... Read more
-
The Cyber Express
Remote Code Execution & Privilege Escalation: Two New Threats in CISA’s KEV
The Cybersecurity and Infrastructure Security Agency (CISA) has recently updated its Known Exploited Vulnerabilities (KEV) Catalog, adding two new vulnerabilities that are actively being exploited in ... Read more
-
Cyber Security News
CISA Warns of CrushFTP Authentication Bypass Vulnerability Exploited in Attacks
The Cybersecurity and Infrastructure Security Agency (CISA) has added a critical authentication bypass vulnerability in CrushFTP file transfer software to its Known Exploited Vulnerabilities (KEV) Cat ... Read more
-
The Cyber Express
Microsoft Patch Tuesday April 2025: One Zero-Day, 11 High-Risk Flaws
Microsoft Patch Tuesday for April 2025 included fixes for 135 vulnerabilities in all, including one actively exploited zero-day and an additional 11 high-risk vulnerabilities. In all, Patch Tuesday Ap ... Read more
-
The Cyber Express
CISA Warns of CrushFTP Exploit Letting Attackers Bypass Authentication
The Cybersecurity and Infrastructure Security Agency (CISA) has recently added a new vulnerability to its Known Exploited Vulnerabilities Catalog. The vulnerability, identified as CVE-2025-31161, is a ... Read more
-
security.nl
Criminelen claimen grootschalige, gevoelige datadiefstal via CrushFTP-servers
Criminelen claimen op internet dat ze via kwetsbare CrushFTP-servers op grote schaal gevoelige informatie van bedrijven wereldwijd hebben gestolen. Getroffen ondernemingen worden de komende dagen bena ... Read more
-
The Hacker News
CISA Adds CrushFTP Vulnerability to KEV Catalog Following Confirmed Active Exploitation
Cyber Attack / Vulnerability A recently disclosed critical security flaw impacting CrushFTP has been added by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to its Known Exploited Vu ... Read more
-
huntress.com
CrushFTP CVE-2025-31161 Auth Bypass and Post-Exploitation
UPDATED 04/08/2025 @ 3pm ET TL;DR: CVE-2025-31161 is a critical severity vulnerability allowing attackers to control how user authentication is handled by CrushFTP managed file transfer (MFT) software ... Read more
-
Dark Reading
Disclosure Drama Clouds CrushFTP Vulnerability Exploitation
Aleksey Funtap via Alamy Stock PhotoA critical CrushFTP vulnerability now under exploitation in the wild has become mired in controversy and confusion.On March 31, the Shadowserver Foundation reported ... Read more
The following table lists the changes that have been made to the
CVE-2025-31161 vulnerability over time.
Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.
-
Modified Analysis by [email protected]
Apr. 21, 2025
Action Type Old Value New Value Added Reference Type CVE: https://www.vicarius.io/vsociety/posts/cve-2025-31161-detect-crushftp-vulnerability Types: Exploit, Third Party Advisory Added Reference Type CVE: https://www.vicarius.io/vsociety/posts/cve-2025-31161-mitigate-crushftp-vulnerability Types: Mitigation, Third Party Advisory -
CVE Modified by af854a3a-2127-422b-91ae-364da2661108
Apr. 21, 2025
Action Type Old Value New Value Added Reference https://www.vicarius.io/vsociety/posts/cve-2025-31161-detect-crushftp-vulnerability Added Reference https://www.vicarius.io/vsociety/posts/cve-2025-31161-mitigate-crushftp-vulnerability -
Initial Analysis by [email protected]
Apr. 08, 2025
Action Type Old Value New Value Added CVSS V3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Added CWE NVD-CWE-Other Added CPE Configuration OR *cpe:2.3:a:crushftp:crushftp:*:*:*:*:*:*:*:* versions from (including) 10.0.0 up to (excluding) 10.8.4 *cpe:2.3:a:crushftp:crushftp:*:*:*:*:*:*:*:* versions from (including) 11.0.0 up to (excluding) 11.3.1 Added Reference Type CVE: https://attackerkb.com/topics/k0EgiL9Psz/cve-2025-2825/rapid7-analysis Types: Exploit, Third Party Advisory Added Reference Type MITRE: https://crushftp.com/crush11wiki/Wiki.jsp?page=Update#section-Update-VulnerabilityInfo Types: Vendor Advisory Added Reference Type MITRE: https://outpost24.com/blog/crushftp-auth-bypass-vulnerability/ Types: Third Party Advisory Added Reference Type CVE: https://projectdiscovery.io/blog/crushftp-authentication-bypass Types: Exploit, Third Party Advisory Added Reference Type CVE: https://www.darkreading.com/vulnerabilities-threats/disclosure-drama-clouds-crushftp-vulnerability-exploitation Types: Press/Media Coverage Added Reference Type CVE: https://www.huntress.com/blog/crushftp-cve-2025-31161-auth-bypass-and-post-exploitation Types: Exploit, Third Party Advisory Added Reference Type CVE: https://www.infosecurity-magazine.com/news/crushftp-flaw-exploited-disclosure/ Types: Press/Media Coverage -
CVE CISA KEV Update by 9119a7d8-5eab-497f-8521-727c672e3725
Apr. 08, 2025
Action Type Old Value New Value Added Date Added 2025-04-07 Added Due Date 2025-04-28 Added Required Action Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. Added Vulnerability Name CrushFTP Authentication Bypass Vulnerability -
CVE Modified by af854a3a-2127-422b-91ae-364da2661108
Apr. 05, 2025
Action Type Old Value New Value Added Reference https://www.infosecurity-magazine.com/news/crushftp-flaw-exploited-disclosure/ -
CVE Modified by af854a3a-2127-422b-91ae-364da2661108
Apr. 05, 2025
Action Type Old Value New Value Added Reference https://attackerkb.com/topics/k0EgiL9Psz/cve-2025-2825/rapid7-analysis -
CVE Modified by af854a3a-2127-422b-91ae-364da2661108
Apr. 05, 2025
Action Type Old Value New Value Added Reference https://www.huntress.com/blog/crushftp-cve-2025-31161-auth-bypass-and-post-exploitation -
CVE Modified by af854a3a-2127-422b-91ae-364da2661108
Apr. 05, 2025
Action Type Old Value New Value Added Reference https://www.darkreading.com/vulnerabilities-threats/disclosure-drama-clouds-crushftp-vulnerability-exploitation -
New CVE Received by [email protected]
Apr. 03, 2025
Action Type Old Value New Value Added Description CrushFTP 10 before 10.8.4 and 11 before 11.3.1 allows authentication bypass and takeover of the crushadmin account (unless a DMZ proxy instance is used), as exploited in the wild in March and April 2025, aka "Unauthenticated HTTP(S) port access." A race condition exists in the AWS4-HMAC (compatible with S3) authorization method of the HTTP component of the FTP server. The server first verifies the existence of the user by performing a call to login_user_pass() with no password requirement. This will authenticate the session through the HMAC verification process and up until the server checks for user verification once more. The vulnerability can be further stabilized, eliminating the need for successfully triggering a race condition, by sending a mangled AWS4-HMAC header. By providing only the username and a following slash (/), the server will successfully find a username, which triggers the successful anypass authentication process, but the server will fail to find the expected SignedHeaders entry, resulting in an index-out-of-bounds error that stops the code from reaching the session cleanup. Together, these issues make it trivial to authenticate as any known or guessable user (e.g., crushadmin), and can lead to a full compromise of the system by obtaining an administrative account. Added CVSS V3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Added CWE CWE-305 Added Reference https://crushftp.com/crush11wiki/Wiki.jsp?page=Update#section-Update-VulnerabilityInfo Added Reference https://outpost24.com/blog/crushftp-auth-bypass-vulnerability/ -
CVE Modified by af854a3a-2127-422b-91ae-364da2661108
Apr. 03, 2025
Action Type Old Value New Value Added Reference https://projectdiscovery.io/blog/crushftp-authentication-bypass
CWE - Common Weakness Enumeration
While CVE identifies
specific instances of vulnerabilities, CWE categorizes the common flaws or
weaknesses that can lead to vulnerabilities. CVE-2025-31161 is
associated with the following CWEs:
Common Attack Pattern Enumeration and Classification (CAPEC)
Common Attack Pattern Enumeration and Classification
(CAPEC)
stores attack patterns, which are descriptions of the common attributes and
approaches employed by adversaries to exploit the CVE-2025-31161
weaknesses.