cbcvebase.
CVE-2025-31161
published 2025-04-03

CVE-2025-31161: CrushFTP 10 before 10.8.4 and 11 before 11.3.1 allows authentication bypass and takeover of the crushadmin account (unless a DMZ proxy instance is used), as…

PriorityP1100critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITRansomwareInitial access
CISA Known Exploited Vulnerabilitydue 2025-04-28
Exploited in the wild
EPSS
99.96%
100.0th percentile
CrushFTP 10 before 10.8.4 and 11 before 11.3.1 allows authentication bypass and takeover of the crushadmin account (unless a DMZ proxy instance is used), as exploited in the wild in March and April 2025, aka "Unauthenticated HTTP(S) port access." A race condition exists in the AWS4-HMAC (compatible with S3) authorization method of the HTTP component of the FTP server. The server first verifies the existence of the user by performing a call to login_user_pass() with no password requirement. This will authenticate the session through the HMAC verification process and up until the server checks for user verification once more. The vulnerability can be further stabilized, eliminating the need for successfully triggering a race condition, by sending a mangled AWS4-HMAC header. By providing only the username and a following slash (/), the server will successfully find a username, which triggers the successful anypass authentication process, but the server will fail to find the expected SignedHeaders entry, resulting in an index-out-of-bounds error that stops the code from reaching the session cleanup. Together, these issues make it trivial to authenticate as any known or guessable user (e.g., crushadmin), and can lead to a full compromise of the system by obtaining an administrative account.

Affected

4 ranges
VendorProductVersion rangeFixed in
crushftpcrushftp>= 10 < 10.8.410.8.4
crushftpcrushftp>= 10.0.0 < 10.8.410.8.4
crushftpcrushftp>= 11 < 11.3.111.3.1
crushftpcrushftp>= 11.0.0 < 11.3.111.3.1

Detection & IOCsextracted from sources · hover to see the quote

commandGET /WebInterface/function/?command=getUserList&serverGroup=MainUsers&c2f=1111 HTTP/1.1 Cookie: CrushAuth=1111111111_111111111111111111111111111111111 Authorization: AWS4-HMAC-SHA256 Credential=crushadmin/ Connection: close
cookieCrushAuth=1111111111_111111111111111111111111111111111
otherAWS4-HMAC-SHA256 Credential=<username>/
ip172.235.144.67
ip2.58.56.16
ip196.251.85.31
domainrtb.mftadsrvr.com
urlhttps://rtb.mftadsrvr.com:2087
filenamed3d11.dll
filenamemesch.exe
urlhttp://196.251.85.31/d3d11.dll
ip104.21.16.1
ip104.21.48.1
port2087
  • Hunt CrushFTP logs for AWS4-HMAC-SHA256 Authorization headers where the Credential field contains only a username followed by a slash (e.g., 'crushadmin/') with no SignedHeaders entry — this is the stabilized exploit variant.
  • In CrushFTP.log, look for POST responses to crushadmin (or other admin users) that are NOT preceded by a valid currentAuth cookie — exploitation sessions lack the currentAuth cookie present in legitimate logins.
  • Monitor for CrushFTPService.exe spawning cmd.exe or AnyDesk installer processes — observed post-exploitation pivot for credential harvesting (SAM/SYSTEM hive dumping).
  • Check CrushFTP.log for the version string pattern 'SERVER||Server Memory Stats: :Version' to confirm the running version and identify unpatched instances (vulnerable: 10.0.0–10.8.3, 11.0.0–11.3.0).
  • Detect MeshCentral (MeshAgent) installation from C:\Windows\Temp connecting outbound to rtb.mftadsrvr.com:2087 as a post-exploitation persistence indicator across both CrushFTP and CentreStack incidents.
  • Huntress released two public Sigma rules for CVE-2025-31161 detection — obtain and deploy these for broader coverage.
  • ·The authentication bypass is only exploitable on directly exposed HTTP(S) ports; CrushFTP instances fronted by a DMZ proxy instance are protected from this attack.
  • ·The exploit requires a known or guessable username (e.g., the default 'crushadmin'); accounts containing a tilde (~) in the username are not exploitable via this method.
  • ·The original CVE identifier CVE-2025-2825 was rejected by NIST NVD as a duplicate reservation; the authoritative identifier is CVE-2025-31161.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.