CVE-2025-31161

Known Exploited Public Exploit

Description

CrushFTP 10 before 10.8.4 and 11 before 11.3.1 allows authentication bypass and takeover of the crushadmin account (unless a DMZ proxy instance is used), as exploited in the wild in March and April 2025, aka "Unauthenticated HTTP(S) port access." A race condition exists in the AWS4-HMAC (compatible with S3) authorization method of the HTTP component of the FTP server. The server first verifies the existence of the user by performing a call to login_user_pass() with no password requirement. This will authenticate the session through the HMAC verification process and up until the server checks for user verification once more. The vulnerability can be further stabilized, eliminating the need for successfully triggering a race condition, by sending a mangled AWS4-HMAC header. By providing only the username and a following slash (/), the server will successfully find a username, which triggers the successful anypass authentication process, but the server will fail to find the expected SignedHeaders entry, resulting in an index-out-of-bounds error that stops the code from reaching the session cleanup. Together, these issues make it trivial to authenticate as any known or guessable user (e.g., crushadmin), and can lead to a full compromise of the system by obtaining an administrative account.

Category

9.8
CVSS
Severity: Critical
CVSS 3.1 •
EPSS 81.74% Top 5%
KEV Since 
Vendor Advisory crushftp.com
Affected: CrushFTP CrushFTP
Published at:
Updated at:

References

Link Tags
https://outpost24.com/blog/crushftp-auth-bypass-vulnerability/ third party advisory
https://crushftp.com/crush11wiki/Wiki.jsp?page=Update#section-Update-VulnerabilityInfo vendor advisory
https://attackerkb.com/topics/k0EgiL9Psz/cve-2025-2825/rapid7-analysis exploit third party advisory
https://projectdiscovery.io/blog/crushftp-authentication-bypass exploit third party advisory
https://www.darkreading.com/vulnerabilities-threats/disclosure-drama-clouds-crushftp-vulnerability-exploitation press/media coverage
https://www.huntress.com/blog/crushftp-cve-2025-31161-auth-bypass-and-post-exploitation exploit third party advisory
https://www.infosecurity-magazine.com/news/crushftp-flaw-exploited-disclosure/ press/media coverage
https://www.vicarius.io/vsociety/posts/cve-2025-31161-detect-crushftp-vulnerability exploit third party advisory
https://www.vicarius.io/vsociety/posts/cve-2025-31161-mitigate-crushftp-vulnerability mitigation third party advisory

Frequently Asked Questions

What is the severity of CVE-2025-31161?
CVE-2025-31161 has been scored as a critical severity vulnerability.
How to fix CVE-2025-31161?
To fix CVE-2025-31161, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2025-31161 being actively exploited in the wild?
It is confirmed that CVE-2025-31161 is actively exploited. Be extra cautious if you are using vulnerable components. According to its EPSS score, there is a ~82% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2025-31161?
CVE-2025-31161 affects CrushFTP CrushFTP.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.