A newly disclosed security vulnerability in the file transfer solution CrushFTP has raised significant alarm in the cybersecurity community. This severe flaw, which allows for authentication bypass, has already seen active exploitation in the wild, prompting the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to add it to its Known Exploited Vulnerabilities (KEV) catalogue.
The flaw affects specific versions of CrushFTP and poses a major risk to organizations relying on the platform to handle file transfers securely. In this post, we’ll explain the vulnerability, how it works, the timeline of events, ongoing disputes among security firms, the technical exploitation process, and mitigation recommendations.
CVE-2025-31161: An Overview of the CrushFTP Vulnerability
What is CVE-2025-31161?
The vulnerability identified as CVE-2025-31161 carries a CVSS score of 9.8, making it a critical risk. It involves a flaw in processing the HTTP authorization header in CrushFTP, enabling attackers to bypass authentication. Essentially, this allows unauthenticated attackers to access and assume the privileges of any user account, including the administrator account (crush-admin), without requiring credentials.
Which Versions Are Affected?
The flaw has been patched in CrushFTP versions 10.8.4 and 11.3.1. Any instance running an earlier version is vulnerable to exploitation and should be updated immediately.
According to the CISA advisory, “CrushFTP contains an authentication bypass vulnerability in the HTTP authorization header that allows a remote unauthenticated attacker to authenticate to any known or guessable user account (e.g., crushadmin), potentially leading to a full compromise.”
A Disputed Disclosure Timeline and Conflicting CVE Assignments
Confusion Over CVE Assignment
The vulnerability disclosure timeline has sparked controversy among security researchers and stakeholders. Initially, the flaw was referred to by the identifier CVE-2025-2825, which was assigned by VulnCheck, a CVE Numbering Authority (CNA). However, that CVE has since been marked as rejected in the CVE database.
The official and current identifier is CVE-2025-31161, which MITRE later issued. This change has led to confusion, mainly because both VulnCheck and Outpost24—who initially reported the flaw—played roles in attempting to disclose it responsibly.
What Happened Behind the Scenes?
Outpost24, the Swedish cybersecurity firm that discovered the vulnerability, stated that they responsibly disclosed the issue to CrushFTP on March 13, 2025, and began coordinating to implement a fix within a 90-day disclosure window. However, MITRE did not assign a CVE until March 27, leaving a gap that allowed VulnCheck to publish its own CVE without contacting Outpost24 or CrushFTP.
This resulted in a public dispute. VulnCheck criticized MITRE and CrushFTP, accusing the vendor of attempting to delay public disclosure and avoid paying attention to the flaw.
VulnCheck’s Allegations
Patrick Garrity, a researcher at VulnCheck, voiced his concerns on LinkedIn, stating:
“CrushFTP, LLC released an advisory but deliberately requested that a CVE not be issued for 90 days, effectively trying to hide the vulnerability from the security community and defenders.”
He further accused MITRE of prioritizing its role in the write-up over timely public awareness, calling the situation a “dangerous precedent” for handling critical vulnerabilities.
How the Exploit Works: A Step-by-Step Technical Breakdown
Although the exploit’s technical details remain limited to prevent widespread abuse, researchers have shared a general outline of the method.
Session Token Manipulation
The core of the exploit lies in manipulating session tokens and the Authorization header. Here’s a simplified breakdown of the process:
- Session Generation: The attacker generates a random alphanumeric string (minimum 31 characters) as a fake session token.
- Cookie Manipulation: Two cookies are set:
- CrushAuth is set to the entire session token.
- currentAuth is set to the last four characters of the token.
- Fake Authentication: A specially crafted HTTP GET request is sent to the endpoint /WebInterface/function/ using the manipulated cookies and an Authorization header in the format:
- makefile
- CopyEdit
- Authorization: AWS4-HMAC=<username>/,
- The attacker substitutes <username> with a known or guessed valid user, such as crushadmin.
The server validates the session by forging this request, and the attacker is granted access with the target user’s permission.
In-the-Wild Exploitation: How Attackers Are Using CVE-2025-31161
Huntress Investigations Reveal Post-Exploitation Activity
The cybersecurity firm Huntress created a working proof-of-concept for CVE-2025-31161 and confirmed that active exploitation began on April 3, 2025. Their analysis revealed not only successful authentication bypasses but also subsequent malware deployment.
Some attacks may have occurred even earlier, possibly around March 30, suggesting that bad actors were aware of and exploiting the flaw before official disclosure.
Targeted Organizations and Sectors
So far, Huntress has observed exploitation attempts on four separate hosts across four organizations. While specific company names remain undisclosed, the affected sectors include:
- Marketing
- Retail
- Semiconductors
Interestingly, three affected companies were hosted by the same Managed Service Provider (MSP), indicating a potentially broader risk through third-party vendors.
Tools and Malware Used by the Threat Actors
Remote Desktop and Credential Harvesting
Upon gaining unauthorized access, attackers have been deploying legitimate remote administration tools, such as:
- AnyDesk
- MeshAgent
These tools allow persistent access and remote control of the compromised systems.
Privilege Escalation and Payload Deployment
In one observed case, attackers:
- Created a new non-admin user called “CrushUser.”
- Added it to the local administrator’s group
- Deployed a C++ binary named d3d11.dll
This binary implements the TgBot open-source Telegram library, suggesting that attackers may be using Telegram bots to collect data and manage infected systems remotely.
Global Impact and Patch Requirements
Unpatched Instances Still at Risk
As of April 6, 2025, at least 815 CrushFTP instances remain unpatched, with the geographic distribution as follows:
- 487 in North America
- 250 in Europe
These systems are still at risk of attack if they continue to run outdated versions.
U.S. Government Mandate
CISA has ordered the Federal Civilian Executive Branch (FCEB) agencies to apply the necessary patches by April 28, 2025, to ensure their networks are secured against this active threat.
How to Protect Your Systems from CVE-2025-31161
Immediate Actions Recommended
If your organization uses CrushFTP, take the following steps immediately:
- Update CrushFTP to version 10.8.4 or 11.3.1, whichever is appropriate for your setup.
- Conduct a Full Security Audit to identify unauthorized accounts, privilege escalations, and suspicious files.
- Review Remote Access Tools like AnyDesk or MeshAgent on your systems and determine if they were legitimately installed.
- Change Administrative Passwords, especially if crush-admin access was possible during the vulnerability window.
- Enable Logging and Monitoring to detect future unauthorized access attempts.
Long-Term Security Measures
- Implement multi-factor authentication (MFA) wherever possible.
- Regularly update and patch third-party software.
- Limit exposure of administrative interfaces to internal networks or VPN access only.
- Monitor KEV catalogues published by CISA to stay informed about high-priority vulnerabilities.
Final Thoughts
The CrushFTP vulnerability CVE-2025-31161 is a stark reminder of the importance of timely disclosure, patch management, and vendor transparency. While security researchers and authorities continue to debate the ethics of vulnerability coordination, the reality for IT teams is apparent: patch early, monitor continuously, and stay informed.
Organizations must also recognize that software supply chains—including managed service providers—can be vectors for risk. As attackers increasingly exploit zero-day and newly disclosed vulnerabilities, the need for proactive cybersecurity measures has never been greater.
Sources: The hacker News, Techradar, The Record
