Hoplon InfoSec
08 Apr, 2025
A newly disclosed security vulnerability in the file transfer solution CrushFTP has raised significant alarm in the cybersecurity community. This severe flaw, which allows for authentication bypass, has already seen active exploitation in the wild, prompting the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to add it to its Known Exploited Vulnerabilities (KEV) catalogue.
The flaw affects specific versions of CrushFTP and poses a major risk to organizations relying on the platform to handle file transfers securely. In this post, we’ll explain the vulnerability, how it works, the timeline of events, ongoing disputes among security firms, the technical exploitation process, and mitigation recommendations.
The vulnerability identified as CVE-2025-31161 carries a CVSS score of 9.8, making it a critical risk. It involves a flaw in processing the HTTP authorization header in CrushFTP, enabling attackers to bypass authentication. Essentially, this allows unauthenticated attackers to access and assume the privileges of any user account, including the administrator account (crush-admin), without requiring credentials.
The flaw has been patched in CrushFTP versions 10.8.4 and 11.3.1. Any instance running an earlier version is vulnerable to exploitation and should be updated immediately.
According to the CISA advisory, “CrushFTP contains an authentication bypass vulnerability in the HTTP authorization header that allows a remote unauthenticated attacker to authenticate to any known or guessable user account (e.g., crushadmin), potentially leading to a full compromise.”
The vulnerability disclosure timeline has sparked controversy among security researchers and stakeholders. Initially, the flaw was referred to by the identifier CVE-2025-2825, which was assigned by VulnCheck, a CVE Numbering Authority (CNA). However, that CVE has since been marked as rejected in the CVE database.
The official and current identifier is CVE-2025-31161, which MITRE later issued. This change has led to confusion, mainly because both VulnCheck and Outpost24—who initially reported the flaw—played roles in attempting to disclose it responsibly.
Outpost24, the Swedish cybersecurity firm that discovered the vulnerability, stated that they responsibly disclosed the issue to CrushFTP on March 13, 2025, and began coordinating to implement a fix within a 90-day disclosure window. However, MITRE did not assign a CVE until March 27, leaving a gap that allowed VulnCheck to publish its own CVE without contacting Outpost24 or CrushFTP.
This resulted in a public dispute. VulnCheck criticized MITRE and CrushFTP, accusing the vendor of attempting to delay public disclosure and avoid paying attention to the flaw.
Patrick Garrity, a researcher at VulnCheck, voiced his concerns on LinkedIn, stating:
“CrushFTP, LLC released an advisory but deliberately requested that a CVE not be issued for 90 days, effectively trying to hide the vulnerability from the security community and defenders.”
He further accused MITRE of prioritizing its role in the write-up over timely public awareness, calling the situation a “dangerous precedent” for handling critical vulnerabilities.
Although the exploit’s technical details remain limited to prevent widespread abuse, researchers have shared a general outline of the method.
The core of the exploit lies in manipulating session tokens and the Authorization header. Here’s a simplified breakdown of the process:
The server validates the session by forging this request, and the attacker is granted access with the target user’s permission.
The cybersecurity firm Huntress created a working proof-of-concept for CVE-2025-31161 and confirmed that active exploitation began on April 3, 2025. Their analysis revealed not only successful authentication bypasses but also subsequent malware deployment.
Some attacks may have occurred even earlier, possibly around March 30, suggesting that bad actors were aware of and exploiting the flaw before official disclosure.
So far, Huntress has observed exploitation attempts on four separate hosts across four organizations. While specific company names remain undisclosed, the affected sectors include:
Interestingly, three affected companies were hosted by the same Managed Service Provider (MSP), indicating a potentially broader risk through third-party vendors.
Upon gaining unauthorized access, attackers have been deploying legitimate remote administration tools, such as:
These tools allow persistent access and remote control of the compromised systems.
In one observed case, attackers:
This binary implements the TgBot open-source Telegram library, suggesting that attackers may be using Telegram bots to collect data and manage infected systems remotely.
As of April 6, 2025, at least 815 CrushFTP instances remain unpatched, with the geographic distribution as follows:
These systems are still at risk of attack if they continue to run outdated versions.
CISA has ordered the Federal Civilian Executive Branch (FCEB) agencies to apply the necessary patches by April 28, 2025, to ensure their networks are secured against this active threat.
If your organization uses CrushFTP, take the following steps immediately:
The CrushFTP vulnerability CVE-2025-31161 is a stark reminder of the importance of timely disclosure, patch management, and vendor transparency. While security researchers and authorities continue to debate the ethics of vulnerability coordination, the reality for IT teams is apparent: patch early, monitor continuously, and stay informed.
Organizations must also recognize that software supply chains—including managed service providers—can be vectors for risk. As attackers increasingly exploit zero-day and newly disclosed vulnerabilities, the need for proactive cybersecurity measures has never been greater.
Sources: The hacker News, Techradar, The Record
Share this :