Known Exploited Vulnerability
9.8
CRITICAL
CVE-2025-31161
CrushFTP Authentication Bypass Vulnerability - [Actively Exploited]
Description

CrushFTP 10 before 10.8.4 and 11 before 11.3.1 allows authentication bypass and takeover of the crushadmin account (unless a DMZ proxy instance is used), as exploited in the wild in March and April 2025, aka "Unauthenticated HTTP(S) port access." A race condition exists in the AWS4-HMAC (compatible with S3) authorization method of the HTTP component of the FTP server. The server first verifies the existence of the user by performing a call to login_user_pass() with no password requirement. This will authenticate the session through the HMAC verification process and up until the server checks for user verification once more. The vulnerability can be further stabilized, eliminating the need for successfully triggering a race condition, by sending a mangled AWS4-HMAC header. By providing only the username and a following slash (/), the server will successfully find a username, which triggers the successful anypass authentication process, but the server will fail to find the expected SignedHeaders entry, resulting in an index-out-of-bounds error that stops the code from reaching the session cleanup. Together, these issues make it trivial to authenticate as any known or guessable user (e.g., crushadmin), and can lead to a full compromise of the system by obtaining an administrative account.

INFO

Published Date :

April 3, 2025, 8:15 p.m.

Last Modified :

April 21, 2025, 9:03 p.m.

Remotely Exploitable :

Yes !

Impact Score :

5.9

Exploitability Score :

3.9
CISA Notification
CISA KEV (Known Exploited Vulnerabilities)

For the benefit of the cybersecurity community and network defenders—and to help every organization better manage vulnerabilities and keep pace with threat activity—CISA maintains the authoritative source of vulnerabilities that have been exploited in the wild.

Description :

CrushFTP contains an authentication bypass vulnerability in the HTTP authorization header that allows a remote unauthenticated attacker to authenticate to any known or guessable user account (e.g., crushadmin), potentially leading to a full compromise.

Required Action :

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Notes :

https://www.crushftp.com/crush11wiki/Wiki.jsp?page=Update ; https://nvd.nist.gov/vuln/detail/CVE-2025-31161

Public PoC/Exploit Available at Github

CVE-2025-31161 has a 10 public PoC/Exploit available at Github. Go to the Public Exploits tab to see the list.

Affected Products

The following products are affected by CVE-2025-31161 vulnerability. Even if cvefeed.io is aware of the exact versions of the products that are affected, the information is not represented in the table below.

ID Vendor Product Action
1 Crushftp crushftp

We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).

CVE-2025-31161 python exploit

Python

Updated: 11 hours, 4 minutes ago
0 stars 0 fork 0 watcher
Born at : April 24, 2025, 10:09 p.m. This repo has been linked 1 different CVEs too.

Official Nuclei template for CVE-2025-31161 (formerly CVE-2025-2825)

Updated: 22 hours, 52 minutes ago
0 stars 0 fork 0 watcher
Born at : April 24, 2025, 10:25 a.m. This repo has been linked 2 different CVEs too.

Проверка наличие пути /WebInterface/function

Updated: 1 day, 1 hour ago
0 stars 0 fork 0 watcher
Born at : April 24, 2025, 7:52 a.m. This repo has been linked 1 different CVEs too.

CrushFTP CVE-2025-31161 Exploit Tool 🔓

Python

Updated: 3 days, 8 hours ago
1 stars 0 fork 0 watcher
Born at : April 21, 2025, 11:57 p.m. This repo has been linked 1 different CVEs too.

Shattered is a tool and POC for the new CrushedFTP vulns, CVE Exploit Script: CVE-2025-2825 vs CVE-2025-31161

Python

Updated: 3 days, 14 hours ago
7 stars 1 fork 1 watcher
Born at : April 11, 2025, 10:54 a.m. This repo has been linked 2 different CVEs too.

None

Updated: 1 week, 5 days ago
1 stars 0 fork 0 watcher
Born at : April 9, 2025, 2:38 p.m. This repo has been linked 1 different CVEs too.

Proof of Concept for CVE-2025-31161 / CVE-2025-2825

Python

Updated: 1 week, 3 days ago
3 stars 3 fork 3 watcher
Born at : April 8, 2025, 3:37 p.m. This repo has been linked 2 different CVEs too.

Ostorlab KEV: One-command to detect most remotely known exploitable vulnerabilities. Sourced from CISA KEV, Google's Tsunami, Ostorlab's Asteroid and Bug Bounty programs.

cisa-kev vulnerability 0day cisa exploits

Updated: 1 day, 17 hours ago
563 stars 39 fork 39 watcher
Born at : April 19, 2022, 8:58 a.m. This repo has been linked 1272 different CVEs too.

EPSS & VEDAS Score Aggregator for CVEs

cve vulnerability exploit epss vedas

Updated: 23 hours, 49 minutes ago
236 stars 34 fork 34 watcher
Born at : April 13, 2021, 4:50 a.m. This repo has been linked 123 different CVEs too.

📡 PoC auto collect from GitHub. ⚠️ Be careful Malware.

security cve exploit poc vulnerability

Updated: 2 hours, 43 minutes ago
6865 stars 1157 fork 1157 watcher
Born at : Dec. 8, 2019, 1:03 p.m. This repo has been linked 850 different CVEs too.

Results are limited to the first 15 repositories due to potential performance issues.

The following list is the news that have been mention CVE-2025-31161 vulnerability anywhere in the article.

  • The Cyber Express
Yokogawa Recorder Vulnerability Could Let Attackers Hijack Critical Industrial Systems

A high-severity vulnerability has been discovered in a range of industrial recorder and data acquisition systems produced by Yokogawa Electric Corporation, a Japan-based automation and measurement equ ... Read more

Published Date: Apr 21, 2025 (4 days, 3 hours ago)
  • The Hacker News
Gladinet’s Triofox and CentreStack Under Active Exploitation via Critical RCE Vulnerability

Vulnerability / Endpoint Security A recently disclosed security flaw in Gladinet CentreStack also impacts its Triofox remote access and collaboration solution, according to Huntress, with seven differ ... Read more

Published Date: Apr 15, 2025 (1 week, 3 days ago)
  • The Cyber Express
100,000+ WordPress Sites at Risk as SureTriggers Exploit Goes Live

A recently uncovered SureTriggers vulnerability has put more than 100,000 websites at risk, highlighting once again how critical plugin security is for WordPress site administrators. The vulnerability ... Read more

Published Date: Apr 11, 2025 (2 weeks ago)
  • Dark Reading
CrushFTP Exploitation Continues Amid Disclosure Dispute

Source: lumerb via Alamy Stock PhotoExploitation activity continues against a critical vulnerability in CrushFTP file transfer software, which has been mired in an ongoing disclosure dispute.On April ... Read more

Published Date: Apr 09, 2025 (2 weeks, 1 day ago)
  • databreaches.net
CISA, experts warn of Crush file transfer attacks after a controversial disclosure

Jonathan Greig reports on another vulnerability affecting file transfer software that has been exploited soon after disclosure. In this case, though, there’s some contentious statements about responsi ... Read more

Published Date: Apr 09, 2025 (2 weeks, 1 day ago)
  • TheCyberThrone
CISA KEV Catalog Update Part II – April 2025

The Cybersecurity and Infrastructure Security Agency (CISA) has recently updated its Known Exploited Vulnerabilities (KEV) Catalog, adding several critical vulnerabilities that are actively being expl ... Read more

Published Date: Apr 09, 2025 (2 weeks, 1 day ago)
  • The Cyber Express
CERT-In Flags Info Disclosure Flaw in TP-Link Tapo H200 Smart Hub

A new vulnerability has been identified in the TP-Link Tapo H200 V1 IoT Smart Hub that could allow attackers to access sensitive information, particularly Wi-Fi credentials. The Computer Emergency Res ... Read more

Published Date: Apr 09, 2025 (2 weeks, 1 day ago)
  • The Cyber Express
Remote Code Execution & Privilege Escalation: Two New Threats in CISA’s KEV

The Cybersecurity and Infrastructure Security Agency (CISA) has recently updated its Known Exploited Vulnerabilities (KEV) Catalog, adding two new vulnerabilities that are actively being exploited in ... Read more

Published Date: Apr 09, 2025 (2 weeks, 1 day ago)
  • Cyber Security News
CISA Warns of CrushFTP Authentication Bypass Vulnerability Exploited in Attacks

The Cybersecurity and Infrastructure Security Agency (CISA) has added a critical authentication bypass vulnerability in CrushFTP file transfer software to its Known Exploited Vulnerabilities (KEV) Cat ... Read more

Published Date: Apr 09, 2025 (2 weeks, 2 days ago)
  • The Cyber Express
Microsoft Patch Tuesday April 2025: One Zero-Day, 11 High-Risk Flaws

Microsoft Patch Tuesday for April 2025 included fixes for 135 vulnerabilities in all, including one actively exploited zero-day and an additional 11 high-risk vulnerabilities. In all, Patch Tuesday Ap ... Read more

Published Date: Apr 08, 2025 (2 weeks, 2 days ago)
  • The Cyber Express
CISA Warns of CrushFTP Exploit Letting Attackers Bypass Authentication

The Cybersecurity and Infrastructure Security Agency (CISA) has recently added a new vulnerability to its Known Exploited Vulnerabilities Catalog. The vulnerability, identified as CVE-2025-31161, is a ... Read more

Published Date: Apr 08, 2025 (2 weeks, 2 days ago)
  • security.nl
Criminelen claimen grootschalige, gevoelige datadiefstal via CrushFTP-servers

Criminelen claimen op internet dat ze via kwetsbare CrushFTP-servers op grote schaal gevoelige informatie van bedrijven wereldwijd hebben gestolen. Getroffen ondernemingen worden de komende dagen bena ... Read more

Published Date: Apr 08, 2025 (2 weeks, 3 days ago)
  • The Hacker News
CISA Adds CrushFTP Vulnerability to KEV Catalog Following Confirmed Active Exploitation

Cyber Attack / Vulnerability A recently disclosed critical security flaw impacting CrushFTP has been added by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to its Known Exploited Vu ... Read more

Published Date: Apr 08, 2025 (2 weeks, 3 days ago)
  • Dark Reading
Disclosure Drama Clouds CrushFTP Vulnerability Exploitation

Aleksey Funtap via Alamy Stock PhotoA critical CrushFTP vulnerability now under exploitation in the wild has become mired in controversy and confusion.On March 31, the Shadowserver Foundation reported ... Read more

Published Date: Apr 03, 2025 (3 weeks ago)

The following table lists the changes that have been made to the CVE-2025-31161 vulnerability over time.

Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.

  • Modified Analysis by [email protected]

    Apr. 21, 2025

    Action Type Old Value New Value
    Added Reference Type CVE: https://www.vicarius.io/vsociety/posts/cve-2025-31161-detect-crushftp-vulnerability Types: Exploit, Third Party Advisory
    Added Reference Type CVE: https://www.vicarius.io/vsociety/posts/cve-2025-31161-mitigate-crushftp-vulnerability Types: Mitigation, Third Party Advisory
  • CVE Modified by af854a3a-2127-422b-91ae-364da2661108

    Apr. 21, 2025

    Action Type Old Value New Value
    Added Reference https://www.vicarius.io/vsociety/posts/cve-2025-31161-detect-crushftp-vulnerability
    Added Reference https://www.vicarius.io/vsociety/posts/cve-2025-31161-mitigate-crushftp-vulnerability
  • Initial Analysis by [email protected]

    Apr. 08, 2025

    Action Type Old Value New Value
    Added CVSS V3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    Added CWE NVD-CWE-Other
    Added CPE Configuration OR *cpe:2.3:a:crushftp:crushftp:*:*:*:*:*:*:*:* versions from (including) 10.0.0 up to (excluding) 10.8.4 *cpe:2.3:a:crushftp:crushftp:*:*:*:*:*:*:*:* versions from (including) 11.0.0 up to (excluding) 11.3.1
    Added Reference Type CVE: https://attackerkb.com/topics/k0EgiL9Psz/cve-2025-2825/rapid7-analysis Types: Exploit, Third Party Advisory
    Added Reference Type MITRE: https://crushftp.com/crush11wiki/Wiki.jsp?page=Update#section-Update-VulnerabilityInfo Types: Vendor Advisory
    Added Reference Type MITRE: https://outpost24.com/blog/crushftp-auth-bypass-vulnerability/ Types: Third Party Advisory
    Added Reference Type CVE: https://projectdiscovery.io/blog/crushftp-authentication-bypass Types: Exploit, Third Party Advisory
    Added Reference Type CVE: https://www.darkreading.com/vulnerabilities-threats/disclosure-drama-clouds-crushftp-vulnerability-exploitation Types: Press/Media Coverage
    Added Reference Type CVE: https://www.huntress.com/blog/crushftp-cve-2025-31161-auth-bypass-and-post-exploitation Types: Exploit, Third Party Advisory
    Added Reference Type CVE: https://www.infosecurity-magazine.com/news/crushftp-flaw-exploited-disclosure/ Types: Press/Media Coverage
  • CVE CISA KEV Update by 9119a7d8-5eab-497f-8521-727c672e3725

    Apr. 08, 2025

    Action Type Old Value New Value
    Added Date Added 2025-04-07
    Added Due Date 2025-04-28
    Added Required Action Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
    Added Vulnerability Name CrushFTP Authentication Bypass Vulnerability
  • CVE Modified by af854a3a-2127-422b-91ae-364da2661108

    Apr. 05, 2025

    Action Type Old Value New Value
    Added Reference https://www.infosecurity-magazine.com/news/crushftp-flaw-exploited-disclosure/
  • CVE Modified by af854a3a-2127-422b-91ae-364da2661108

    Apr. 05, 2025

    Action Type Old Value New Value
    Added Reference https://attackerkb.com/topics/k0EgiL9Psz/cve-2025-2825/rapid7-analysis
  • CVE Modified by af854a3a-2127-422b-91ae-364da2661108

    Apr. 05, 2025

    Action Type Old Value New Value
    Added Reference https://www.huntress.com/blog/crushftp-cve-2025-31161-auth-bypass-and-post-exploitation
  • CVE Modified by af854a3a-2127-422b-91ae-364da2661108

    Apr. 05, 2025

    Action Type Old Value New Value
    Added Reference https://www.darkreading.com/vulnerabilities-threats/disclosure-drama-clouds-crushftp-vulnerability-exploitation
  • New CVE Received by [email protected]

    Apr. 03, 2025

    Action Type Old Value New Value
    Added Description CrushFTP 10 before 10.8.4 and 11 before 11.3.1 allows authentication bypass and takeover of the crushadmin account (unless a DMZ proxy instance is used), as exploited in the wild in March and April 2025, aka "Unauthenticated HTTP(S) port access." A race condition exists in the AWS4-HMAC (compatible with S3) authorization method of the HTTP component of the FTP server. The server first verifies the existence of the user by performing a call to login_user_pass() with no password requirement. This will authenticate the session through the HMAC verification process and up until the server checks for user verification once more. The vulnerability can be further stabilized, eliminating the need for successfully triggering a race condition, by sending a mangled AWS4-HMAC header. By providing only the username and a following slash (/), the server will successfully find a username, which triggers the successful anypass authentication process, but the server will fail to find the expected SignedHeaders entry, resulting in an index-out-of-bounds error that stops the code from reaching the session cleanup. Together, these issues make it trivial to authenticate as any known or guessable user (e.g., crushadmin), and can lead to a full compromise of the system by obtaining an administrative account.
    Added CVSS V3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    Added CWE CWE-305
    Added Reference https://crushftp.com/crush11wiki/Wiki.jsp?page=Update#section-Update-VulnerabilityInfo
    Added Reference https://outpost24.com/blog/crushftp-auth-bypass-vulnerability/
  • CVE Modified by af854a3a-2127-422b-91ae-364da2661108

    Apr. 03, 2025

    Action Type Old Value New Value
    Added Reference https://projectdiscovery.io/blog/crushftp-authentication-bypass
EPSS is a daily estimate of the probability of exploitation activity being observed over the next 30 days. Following chart shows the EPSS score history of the vulnerability.
CWE - Common Weakness Enumeration

While CVE identifies specific instances of vulnerabilities, CWE categorizes the common flaws or weaknesses that can lead to vulnerabilities. CVE-2025-31161 is associated with the following CWEs:

Common Attack Pattern Enumeration and Classification (CAPEC)

Common Attack Pattern Enumeration and Classification (CAPEC) stores attack patterns, which are descriptions of the common attributes and approaches employed by adversaries to exploit the CVE-2025-31161 weaknesses.

CVSS31 - Vulnerability Scoring System
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
© cvefeed.io
Latest DB Update: Apr. 25, 2025 9:18