Exploitation of CrushFTP Vulnerability Occurs After Disclosure of Flaws
In a recent security advisory, CrushFTP has warned users about an actively exploited critical authentication bypass vulnerability, identified as CVE-2025-31161. This vulnerability, discovered by security analysts at Outpost24, has a CVSSv3.1 severity score of 9.8, making it especially dangerous.
The vulnerability is found in the AWS4-HMAC authentication method of the HTTP component in CrushFTP versions 10 and 11. It allows unauthenticated access to devices running unpatched versions of CrushFTP, potentially enabling unauthorized access.
Many administrators use the default 'crushadmin' username, making the vulnerability even more concerning. Attackers can authenticate as any user, including administrators, by sending a manipulated Authorization header and a malformed request, enabling persistent access.
CrushFTP has released patches for the vulnerability and urges users to update to versions 10.8.4 or 11.3.1 immediately. As a temporary mitigation for those unable to apply the fix immediately, enabling the DMZ perimeter network option is recommended.
Organizations should also monitor system logs for unusual authentication attempts and restrict public-facing access to CrushFTP servers where possible.
It's worth noting that over 1500 vulnerable instances of CrushFTP have been identified online by the Shadowserver Foundation. The flaw was secured on March 13, 2025, and Outpost24 coordinated with CrushFTP under a 90-day non-disclosure period to ensure users had sufficient time to patch.
However, another company, VulnCheck, published a separate CVE - CVE-2025-2825 - without consulting Outpost24 or CrushFTP, disrupting the disclosure process. The company that published VulnCheck-CVE-2025-2825 was VulnCheck.
The ongoing exploitation of CVE-2025-31161 underscores the importance of securing file transfer infrastructure against future vulnerabilities. By taking immediate action and following the recommended mitigations, users can help protect their systems from this critical vulnerability.
Read also:
- Web3 gaming platform, Pixelverse, debuts on Base and Farcaster networks
- Amazon customer duped over Nvidia RTX 5070 Ti purchase: shipped item replaced with suspicious white powder; PC hardware fan deceived, discovers salt instead of GPU core days after receiving defective RTX 5090.
- Infiltration of Estonian airspace by Russian military aircraft
- Cyber aggression intensifies by China-backed TA415 group, targeting Taiwan's semiconductor production and supply networks
