Full Report
A recently disclosed critical security flaw impacting CrushFTP has been added by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to its Known Exploited Vulnerabilities (KEV) catalog after reports emerged of active exploitation in the wild. The vulnerability is a case of authentication bypass that could permit an unauthenticated attacker to take over susceptible instances. It has
Analysis Summary
# Vulnerability: CrushFTP Authentication Bypass Leading to Full Account Compromise
## CVE Details
- CVE ID: CVE-2025-31161
- CVSS Score: 9.8 (Critical)
- CWE: Authentication Bypass
## Affected Systems
- Products: CrushFTP
- Versions: Prior to 10.8.4 and 11.3.1
- Configurations: Any susceptible instance accessible over HTTP.
## Vulnerability Description
The vulnerability is an authentication bypass flaw residing in the HTTP authorization header of CrushFTP. A remote, unauthenticated attacker can leverage this vulnerability to successfully authenticate as any known or guessable user account, including administrative accounts (e.g., `crushadmin`). This authentication bypass can lead to a full compromise of the instance, allowing the attacker to execute commands with the privileges of the successfully impersonated user.
## Exploitation
- Status: Exploited in the wild (Added to CISA KEV catalog)
- Complexity: Low (Step-by-step instructions for exploitation are available)
- Attack Vector: Network
## Impact
- Confidentiality: High (Access to data accessible by the compromised user)
- Integrity: High (Ability to execute commands and make configuration changes)
- Availability: High (Potential for system disruption or further compromise)
## Remediation
### Patches
- CrushFTP version 10.8.4
- CrushFTP version 11.3.1
### Workarounds
No specific vendor workarounds were documented, but immediate patching is required due to active exploitation.
## Detection
- **Indicators of Compromise (IoCs):** Post-exploitation activity has involved the installation of legitimate remote desktop software like AnyDesk and MeshCentral agent, and the deployment of C++ binaries utilizing the TgBot library (potentially for Telegram-based telemetry).
- **Detection Methods and Tools:** Monitor network traffic for malicious HTTP requests utilizing crafted `CrushAuth`, `currentAuth` cookies, and specific `Authorization` headers set to "AWS4-HMAC=/". Monitor systems for the installation of unauthorized remote access tools or the deployment of new unauthorized user accounts (e.g., "CrushUser").
## References
- Vendor Advisory (Fix information): hxxps://crushftp.com/crush11wiki/Wiki.jsp?page=Update#section-Update-VulnerabilityInfo
- CISA KEV Advisory: hxxps://www.cisa.gov/news-events/alerts/2025/04/07/cisa-adds-one-known-exploited-vulnerability-catalog
- Outpost24 Disclosure: hxxps://outpost24.com/blog/crushftp-auth-bypass-vulnerability/
- Huntress Analysis: hxxps://www.huntress.com/blog/crushftp-cve-2025-31161-auth-bypass-and-post-exploitation