Critical CrushFTP Authentication Bypass Vulnerability CVE-2025-31161: What You Need to Know

What is CVE-2025-31161?

CVE-2025-31161 is a critical authentication bypass vulnerability that affects CrushFTP versions 10.0.0 through 10.8.3 and 11.0.0 through 11.3.0. This vulnerability allows unauthenticated attackers to bypass authentication and gain unauthorized access to the file transfer system, potentially leading to complete system compromise.

Impact and Risk

The vulnerability is rated with a CVSS score of 9.8, indicating critical severity. Attackers can exploit this vulnerability to:

1. Bypass authentication mechanisms
2. Gain unauthorized access to file transfer systems
3. Potentially execute arbitrary code
4. Access sensitive data
5. Use the system as a pivot point for further attacks

Current Status

• Exploitation Status: Actively exploited in ransomware campaigns
• Detection: Added to CISA's Known Exploited Vulnerabilities catalog on April 7, 2025
• Mitigation: Immediate patching required

Technical Details

The vulnerability exists in the way CrushFTP handles S3-style authentication headers. Specifically:

1. The system incorrectly accepts the "crushadmin/" credential as valid without proper password verification
2. Attackers can exploit this by:
   • Using a spoofed AWS header
   • Crafting a specific 44-character CrushAuth cookie value
   • Manipulating the c2f parameter

What You Need to Do

1. Immediate Action:

   • Update to CrushFTP version 11.2.3 or 10.8.3 immediately
   • These versions contain the security fix

2. Detection:

   • Monitor for unauthorized access attempts
   • Check system logs for suspicious activity
   • Implement network monitoring for exploitation attempts

3. Prevention:

   • Apply the security update as soon as possible
   • Consider disabling S3 protocol if not needed
   • Implement additional authentication layers
   • Regularly audit system access logs

Timeline

• March 26, 2025: NVD publishes vulnerability details
• March 26, 2025: CrushFTP releases security updates
• March 27, 2025: Security advisories begin circulating
• March 28, 2025: ProjectDiscovery publishes detailed analysis
• April 7, 2025: CISA adds to KEV catalog
• April 13, 2025: Widespread exploitation confirmed

Sources

1. CrushFTP Authentication Bypass - CVE-2025-2825
2. CrushFTP 11.0.0 to 11.3.0 are vulnerable. Update to 11.3.1+ immediately
3. MITRE CVE: CVE-2025-2825

Related Articles

• Apple Releases Emergency Patches for Three Actively Exploited Zero-Day Vulnerabilities
• Critical Microsoft Zero-Day Vulnerability CVE-2025-29824