CVE-2025-31161
published 2025-04-03CVE-2025-31161: CrushFTP 10 before 10.8.4 and 11 before 11.3.1 allows authentication bypass and takeover of the crushadmin account (unless a DMZ proxy instance is used), as…
PriorityP1100critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITRansomwareInitial access
CISA Known Exploited Vulnerabilitydue 2025-04-28
Exploited in the wild
EPSS
99.96%
100.0th percentile
CrushFTP 10 before 10.8.4 and 11 before 11.3.1 allows authentication bypass and takeover of the crushadmin account (unless a DMZ proxy instance is used), as exploited in the wild in March and April 2025, aka "Unauthenticated HTTP(S) port access." A race condition exists in the AWS4-HMAC (compatible with S3) authorization method of the HTTP component of the FTP server. The server first verifies the existence of the user by performing a call to login_user_pass() with no password requirement. This will authenticate the session through the HMAC verification process and up until the server checks for user verification once more. The vulnerability can be further stabilized, eliminating the need for successfully triggering a race condition, by sending a mangled AWS4-HMAC header. By providing only the username and a following slash (/), the server will successfully find a username, which triggers the successful anypass authentication process, but the server will fail to find the expected SignedHeaders entry, resulting in an index-out-of-bounds error that stops the code from reaching the session cleanup. Together, these issues make it trivial to authenticate as any known or guessable user (e.g., crushadmin), and can lead to a full compromise of the system by obtaining an administrative account.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| crushftp | crushftp | >= 10 < 10.8.4 | 10.8.4 |
| crushftp | crushftp | >= 10.0.0 < 10.8.4 | 10.8.4 |
| crushftp | crushftp | >= 11 < 11.3.1 | 11.3.1 |
| crushftp | crushftp | >= 11.0.0 < 11.3.1 | 11.3.1 |
Detection & IOCsextracted from sources · hover to see the quote
commandGET /WebInterface/function/?command=getUserList&serverGroup=MainUsers&c2f=1111 HTTP/1.1
Cookie: CrushAuth=1111111111_111111111111111111111111111111111
Authorization: AWS4-HMAC-SHA256 Credential=crushadmin/
Connection: close↗
- →Hunt CrushFTP logs for AWS4-HMAC-SHA256 Authorization headers where the Credential field contains only a username followed by a slash (e.g., 'crushadmin/') with no SignedHeaders entry — this is the stabilized exploit variant. ↗
- →In CrushFTP.log, look for POST responses to crushadmin (or other admin users) that are NOT preceded by a valid currentAuth cookie — exploitation sessions lack the currentAuth cookie present in legitimate logins. ↗
- →Monitor for CrushFTPService.exe spawning cmd.exe or AnyDesk installer processes — observed post-exploitation pivot for credential harvesting (SAM/SYSTEM hive dumping). ↗
- →Check CrushFTP.log for the version string pattern 'SERVER||Server Memory Stats: :Version' to confirm the running version and identify unpatched instances (vulnerable: 10.0.0–10.8.3, 11.0.0–11.3.0). ↗
- →Detect MeshCentral (MeshAgent) installation from C:\Windows\Temp connecting outbound to rtb.mftadsrvr.com:2087 as a post-exploitation persistence indicator across both CrushFTP and CentreStack incidents. ↗
- →Huntress released two public Sigma rules for CVE-2025-31161 detection — obtain and deploy these for broader coverage. ↗
- ·The authentication bypass is only exploitable on directly exposed HTTP(S) ports; CrushFTP instances fronted by a DMZ proxy instance are protected from this attack. ↗
- ·The exploit requires a known or guessable username (e.g., the default 'crushadmin'); accounts containing a tilde (~) in the username are not exploitable via this method. ↗
- ·The original CVE identifier CVE-2025-2825 was rejected by NIST NVD as a duplicate reservation; the authoritative identifier is CVE-2025-31161. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-c57h-rx24-vf52: CrushFTP 10 before 10
ghsa_unreviewed·2025-04-03
CVE-2025-31161 [CRITICAL] CWE-305 GHSA-c57h-rx24-vf52: CrushFTP 10 before 10
CrushFTP 10 before 10.8.4 and 11 before 11.3.1 allows authentication bypass and takeover of the crushadmin account (unless a DMZ proxy instance is used), as exploited in the wild in March and April 2025, aka "Unauthenticated HTTP(S) port access." A race condition exists in the AWS4-HMAC (compatible with S3) authorization method of the HTTP component of the FTP server. The server first verifies the existence of the user by performing a call to login_user_pass() with no password requirement. This will authenticate the session through the HMAC verification process and up until the server checks for user verification once more. The vulnerability can be further stabilized, eliminating the need for successfully triggering a race condition, by sending a mangled AWS4-HMAC header. By providing only
VulnCheck
CrushFTP Authentication Bypass Vulnerability
vulncheck·2025·CVSS 9.8
CVE-2025-31161 [CRITICAL] CWE-305 CrushFTP Authentication Bypass Vulnerability
CrushFTP Authentication Bypass Vulnerability
CrushFTP contains an authentication bypass vulnerability in the HTTP authorization header that allows a remote unauthenticated attacker to authenticate to any known or guessable user account (e.g., crushadmin), potentially leading to a full compromise.
Affected: CrushFTP CrushFTP
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Known Ransomware Campaign Use: Known
Exploitation References: https://api.vulncheck.com/v3/index/sans-dshield?cve=CVE-2025-31161; https://x.com/Shadowserver/status/1906753539499520064; https://arcticwolf.com/resources/blog/cve-2025-31161/; https://outpost24.com/blog/crushftp-auth-bypas
VulnCheck
CrushFTP Authorization Bypass RCE
vulncheck·2025·CVSS 9.8
CVE-2025-2825 [CRITICAL] CrushFTP Authorization Bypass RCE
CrushFTP Authorization Bypass RCE
Rejected reason: DO NOT USE THIS CVE RECORD. ConsultIDs: CVE-2025-31161. Reason: This Record is a reservation duplicate of CVE-2025-31161. Notes: All CVE users should reference CVE-2025-31161 instead of this Record. All references and descriptions in this Record have been removed to prevent accidental usage.
Affected: crushftp CrushFTP
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2025-03-30&host_type=src&vulnerability=cve-2025-2825; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2025-03-31&host_type=src&vulnerab
VulnCheck
CrushFTP VFS Sandbox Escape Vulnerability
vulncheck·2024·CVSS 9.8
CVE-2024-4040 [CRITICAL] CWE-1336 CrushFTP VFS Sandbox Escape Vulnerability
CrushFTP VFS Sandbox Escape Vulnerability
CrushFTP contains an unspecified sandbox escape vulnerability that allows a remote attacker to escape the CrushFTP virtual file system (VFS).
Affected: CrushFTP CrushFTP
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Known Ransomware Campaign Use: Known
Exploitation References: https://www.reddit.com/r/crowdstrike/comments/1c88788/situational_awareness_20240419_crushftp_virtual/; https://www.rapid7.com/blog/post/2024/04/23/etr-unauthenticated-crushftp-zero-day-enables-complete-server-compromise/; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-05-14
CISA
CrushFTP Authentication Bypass Vulnerability
cisa·2025-04-07·CVSS 9.8
CVE-2025-31161 [CRITICAL] CWE-305 CrushFTP Authentication Bypass Vulnerability
Vulnerability: CrushFTP Authentication Bypass Vulnerability
Affected: CrushFTP CrushFTP
CrushFTP contains an authentication bypass vulnerability in the HTTP authorization header that allows a remote unauthenticated attacker to authenticate to any known or guessable user account (e.g., crushadmin), potentially leading to a full compromise.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Notes: https://www.crushftp.com/crush11wiki/Wiki.jsp?page=Update ; https://nvd.nist.gov/vuln/detail/CVE-2025-31161
Remediation Due Date: 2025-04-28
Suricata
ET EXPLOIT [CORELIGHT] CrushFTP Auth Bypass Attempt (CVE-2025-31161)
suricata·2025-04-16·CVSS 9.8
CVE-2025-31161 [CRITICAL] ET EXPLOIT [CORELIGHT] CrushFTP Auth Bypass Attempt (CVE-2025-31161)
ET EXPLOIT [CORELIGHT] CrushFTP Auth Bypass Attempt (CVE-2025-31161)
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT [CORELIGHT] CrushFTP Auth Bypass Attempt (CVE-2025-31161)"; flow:established,to_server; http.header; to_lowercase; content:"authorization|3a 20|"; content:"|20|credential|3d|"; pcre:"/^[^\x7e\x2f\x0d\x0a]+\x2f/R"; http.cookie; content:"CrushAuth|3d|"; fast_pattern; pcre:"/^[0-9]{13}_[a-zA-Z0-9]{26}/R"; content:"currentAuth="; byte_extract:4,0,c2f,relative; http.request_body; content:"c2f|3d|"; byte_test:4,=,c2f,0,relative; reference:url,github.com/Immersive-Labs-Sec/CVE-2025-31161/; reference:cve,2025-31161; classtype:attempted-admin; sid:2061619; rev:1; metadata:affected_product CrushFTP, attack_target Server, tls_state TLSDecrypt, created_at 2025_04_1
Suricata
ET WEB_SPECIFIC_APPS CrushFTP Authentication Bypass (CVE-2025-2825)
suricata·2025-03-31·CVSS 9.8
CVE-2025-2825 [CRITICAL] ET WEB_SPECIFIC_APPS CrushFTP Authentication Bypass (CVE-2025-2825)
ET WEB_SPECIFIC_APPS CrushFTP Authentication Bypass (CVE-2025-2825)
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS CrushFTP Authentication Bypass (CVE-2025-2825)"; flow:established,to_server; http.uri; content:"c2f|3d|"; byte_extract:4,0,c2f,relative; http.header; to_lowercase; content:"authorization|3a 20|"; content:"|20|credential|3d|"; pcre:"/^[^\x7e\x2f\x0d\x0a]+\x2f/R"; http.cookie; content:"CrushAuth|3d|"; fast_pattern; pcre:"/^[0-9]{13}_[a-zA-Z0-9]{26}/R"; byte_test:4,=,c2f,0,relative; reference:url,projectdiscovery.io/blog/crushftp-authentication-bypass; reference:cve,2025-2825; reference:cve,2025-31161; classtype:web-application-attack; sid:2061227; rev:1; metadata:affected_product CrushFTP, attack_target Server, tls_state TLSDecrypt, created_at 20
Exploit-DB
CrushFTP 11.3.1 - Authentication Bypass
exploitdb·2025-05-18·CVSS 9.8
CVE-2025-31161 [CRITICAL] CrushFTP 11.3.1 - Authentication Bypass
CrushFTP 11.3.1 - Authentication Bypass
---
# Exploit Title: CrushFTP 11.3.1 - Authentication Bypass
# Date: 2025-05-15
# Exploit Author: @İbrahimsql
# Exploit Author's github: https://github.com/ibrahimsql
# Vendor Homepage: https://www.crushftp.com
# Software Link: https://www.crushftp.com/download.html
# Version: =2.28.1 , colorama>=0.4.6 , urllib3>=1.26.12 , prettytable>=2.5.0 , rich>=12.6.0
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
import argparse
import concurrent.futures
import json
import logging
import os
import random
import re
import socket
import string
import sys
import time
from datetime import datetime
from typing import Dict, List, Optional, Tuple, Union
import requests
import urllib3
from colorama import Fore, Style, init
from prettytable import PrettyTable
from
Nuclei
CrushFTP - Authentication Bypass
nuclei·CVSS 9.8
CVE-2025-31161 [CRITICAL] CrushFTP - Authentication Bypass
CrushFTP - Authentication Bypass
CrushFTP versions 10.0.0 through 10.8.3 and 11.0.0 through 11.3.0 are affected by a vulnerability that may result in unauthenticated access. Remote and unauthenticated HTTP requests to CrushFTP may allow attackers to gain unauthorized access.
Template:
id: CVE-2025-31161
info:
name: CrushFTP - Authentication Bypass
author: parthmalhotra,Ice3man,DhiyaneshDk,pdresearch,whattheslime
severity: critical
description: |
CrushFTP versions 10.0.0 through 10.8.3 and 11.0.0 through 11.3.0 are affected by a vulnerability that may result in unauthenticated access. Remote and unauthenticated HTTP requests to CrushFTP may allow attackers to gain unauthorized access.
impact: |
Unauthenticated attackers can bypass authentication by forging session cookies, gaining unaut
Mandiant
Ransomware Under Pressure: Tactics, Techniques, and Procedures in a Shifting Threat Landscape
blogs_mandiant·2026-03-16
Ransomware Under Pressure: Tactics, Techniques, and Procedures in a Shifting Threat Landscape
## Ransomware Under Pressure: Tactics, Techniques, and Procedures in a Shifting Threat Landscape
## Google Threat Intelligence Group
## Google Threat Intelligence
Visibility and context on the threats that matter most.
Written by: Bavi Sadayappan, Zach Riddle, Ioana Teaca, Kimberly Goody, Genevieve Stark
## Introduction
Since 2018, when many financially motivated threat actors began shifting their monetization strategy to post-compromise ransomware deployments, ransomware has become one of the most pervasive threats to organizations across almost every industry vertical and region. In recent years ransomware operations have evolved, creating a robust ecosystem that has lowered the barrier to entry via the commoditization and specialization of the supporting underground communities, w
Mandiant
Ransomware Tactics, Techniques, and Procedures in a Shifting Threat Landscape
blogs_mandiant·2026-03-16
Ransomware Tactics, Techniques, and Procedures in a Shifting Threat Landscape
Threat Intelligence
# Ransomware Under Pressure: Tactics, Techniques, and Procedures in a Shifting Threat Landscape
March 16, 2026
##### Google Threat Intelligence Group
##### Google Threat Intelligence
Visibility and context on the threats that matter most.
Contact Us & Get a Demo
Written by: Bavi Sadayappan, Zach Riddle, Ioana Teaca, Kimberly Goody, Genevieve Stark
### Introduction
Since 2018, when many financially motivated threat actors began shifting their monetization strategy to post-compromise ransomware deployments, ransomware has become one of the most pervasive threats to organizations across almost every industry vertical and region. In recent years ransomware operations have evolved, creating a robust ecosystem that has lowered the barrier to entry via the commoditiza
Greynoiseio
The Noise in the Silence: Unmasking CISA's Hidden KEV Ransomware Updates
blogs_greynoiseio·2026-02-02
The Noise in the Silence: Unmasking CISA's Hidden KEV Ransomware Updates
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Tenable
CVE-2025-54309: CrushFTP Zero-Day Vulnerability Exploited In The Wild
blogs_tenable·2025-07-18·CVSS 9.0
[CRITICAL] CVE-2025-54309: CrushFTP Zero-Day Vulnerability Exploited In The Wild
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Huntress
Do Tigers Really Change Their Stripes?
blogs_huntress·2025-05-06·CVSS 9.8
[CRITICAL] Do Tigers Really Change Their Stripes?
Something we often hear within the cybersecurity community, and particularly within digital forensics and incident response (DFIR), is that “threat actors are always changing their tactics.” If you’re just responding to incidents and putting out fires, it might seem like that, but if you’re really looking into incidents and tracking indicators and threat actor tactics, techniques, and procedures (TTPs), you’re very likely going to see that without some significant external stimulus, such as significant differences in infrastructure design and tooling, there’s really no need for a threat actor to change their tactics.
Huntress analysts and researchers recently published information regarding two vulnerabilities. On 4 April 2025, the CrushFTP CVE-2025-31161 Auth Bypass and Post-Exploitation
Wiz
Crying Out Cloud Newsletter - May 2025 | Wiz
blogs_wiz·2025-05-01·CVSS 10.0
CVE-2025-32433 [CRITICAL] Crying Out Cloud Newsletter - May 2025 | Wiz
Welcome back! This month we’ve seen a lot of action, with both vulnerabilities and security incidents that have left users affected. We bring you the latest cloud security highlights, to help you stay informed and stay secure.
Here are our top picks of cloud security highlights!
Hype or no hype – Critical Vulnerability in Erlang/OTP SSH Implementation
CVE-2025-32433 is a critical vulnerability (CVSS 10.0) in the Erlang/Open Telecom Platform (OTP) SSH implementation that allows unauthenticated remote attackers to execute arbitrary code by exploiting flaws in how the SSH protocol sequence is handled. Specifically, the vulnerability stems from the improper enforcement of message ordering, enabling attackers to send malicious SSH protocol messages before authentication and gain code executi
Huntress
CVE-2025-30406 - Critical Gladinet CentreStack & Triofox Vulnerability Exploited In The Wild
blogs_huntress·2025-04-14·CVSS 9.8
[CRITICAL] CVE-2025-30406 - Critical Gladinet CentreStack & Triofox Vulnerability Exploited In The Wild
Special thanks to Craig Sweeney, Hayden Drummond, Michael Tigges, Tanner Filip, Jevon Ang, Jamie Dumas, Stephanie Fairless, and Lindsey Welch for their contributions and support for this writeup.
On Friday, 11 April 2025, the Huntress SOC received an alert from one of our own internal detectors known to catch 0-day exploitation.
Figure 1: Process Tree of the Powershell Payload Originating from the IIS Worker Process
While this is a simple detection to see suspicious outbound connections from an irregular child process, it indicates there may be more to uncover against the software served by the web service worker.
In this case, the suspect software was Gladinet CentreStack, which was just recently added to CISA’s Known Exploited Vulnerabilities database with CVE-2025-30406. At the time
Huntress
CrushFTP CVE-2025-31161 Auth Bypass and Post-Exploitation
blogs_huntress·2025-04-04·CVSS 9.8
CVE-2025-31161 [CRITICAL] CrushFTP CVE-2025-31161 Auth Bypass and Post-Exploitation
UPDATED 04/08/2025 @ 3pm ET
TL;DR: CVE-2025-31161 is a critical severity vulnerability allowing attackers to control how user authentication is handled by CrushFTP managed file transfer (MFT) software. We strongly recommend patching immediately to avoid affected versions 10.0.0 through 10.8.3 and 11.0.0 through 11.3.0. Successful exploitation of CVE-2025-31161 would give attackers admin level access across the CrushFTP application for further compromise. This blog outlines our re-created proof-of-concept for CVE-2025-31161 and attackers’ use of both legitimate and malicious RMM tooling for post-exploitation activities.
We will continue to update this post with new findings.
Update #1 - 04/07/2025 @3pm ET - Updated to reflect newly detected post-exploitation activity
Note: An earlier CV
Bleepingcomputer
Critical auth bypass bug in CrushFTP now exploited in attacks
blogs_bleepingcomputer·2025-04-01·CVSS 9.8
CVE-2025-2825 [CRITICAL] Critical auth bypass bug in CrushFTP now exploited in attacks
## Critical auth bypass bug in CrushFTP now exploited in attacks
## Sergiu Gatlan
Attackers are now targeting a critical authentication bypass vulnerability in the CrushFTP file transfer software using exploits based on publicly available proof-of-concept code.
The security vulnerability ( CVE-2025-2825 ) was discovered and reported by Outpost24 (which identifies it as CVE-2025-31161 ), and it allows remote attackers to gain unauthenticated access to devices running unpatched CrushFTP v10 or v11 software.
"Please take immediate action to patch ASAP. The bottom line of this vulnerability is that an exposed HTTP(S) port could lead to unauthenticated access," CrushFTP warned in an email sent to customers on Friday, March 21, when it released patches to address the security flaw.
As a wor
Huntress
CrushFTP CVE-2025-31161 Auth Bypass and Post-Exploitation | Huntress
blogs_huntress·CVSS 9.8
CVE-2025-31161 [CRITICAL] CrushFTP CVE-2025-31161 Auth Bypass and Post-Exploitation | Huntress
UPDATED 04/08/2025 @ 3pm ET
TL;DR: CVE-2025-31161 is a critical severity vulnerability allowing attackers to control how user authentication is handled by CrushFTP managed file transfer (MFT) software. We strongly recommend patching immediately to avoid affected versions 10.0.0 through 10.8.3 and 11.0.0 through 11.3.0. Successful exploitation of CVE-2025-31161 would give attackers admin level access across the CrushFTP application for further compromise. This blog outlines our re-created proof-of-concept for CVE-2025-31161 and attackers’ use of both legitimate and malicious RMM tooling for post-exploitation activities.
We will continue to update this post with new findings.
- Update #1 - 04/07/2025 @3pm ET - Updated to reflect newly detected post-exploitation activity
Note: An earlier
Huntress
CVE-2025-30406 - Critical Gladinet CentreStack & Triofox Vulnerability Exploited In The Wild | Huntress
blogs_huntress·CVSS 9.8
[CRITICAL] CVE-2025-30406 - Critical Gladinet CentreStack & Triofox Vulnerability Exploited In The Wild | Huntress
Special thanks to Craig Sweeney, Hayden Drummond, Michael Tigges, Tanner Filip, Jevon Ang, Jamie Dumas, Stephanie Fairless, and Lindsey Welch for their contributions and support for this writeup.
On Friday, 11 April 2025, the Huntress SOC received an alert from one of our own internal detectors known to catch 0-day exploitation.
Figure 1: Process Tree of the Powershell Payload Originating from the IIS Worker Process
While this is a simple detection to see suspicious outbound connections from an irregular child process, it indicates there may be more to uncover against the software served by the web service worker.
In this case, the suspect software was Gladinet CentreStack, which was just recently added to CISA’s Known Exploited Vulnerabilities database with CVE-2025-30406. At the time
Huntress
Do Tigers Really Change Their Stripes? | Huntress
blogs_huntress·CVSS 9.8
[CRITICAL] Do Tigers Really Change Their Stripes? | Huntress
Something we often hear within the cybersecurity community, and particularly within digital forensics and incident response (DFIR), is that “threat actors are always changing their tactics.” If you’re just responding to incidents and putting out fires, it might seem like that, but if you’re really looking into incidents and tracking indicators and threat actor tactics, techniques, and procedures (TTPs), you’re very likely going to see that without some significant external stimulus, such as significant differences in infrastructure design and tooling, there’s really no need for a threat actor to change their tactics.
Huntress analysts and researchers recently published information regarding two vulnerabilities. On 4 April 2025, the CrushFTP CVE-2025-31161 Auth Bypass and Post-Exploitation
Huntress
Huntress 24/7 Security Operations Center | Huntress
blogs_huntress·CVSS 8.4
[HIGH] Huntress 24/7 Security Operations Center | Huntress
24/7 Managed SOC Services & Monitoring
Whether an incident goes down at 3:00 p.m. or 3:00 a.m., the Huntress elite AI-assisted SOC team has your back with always-on SOC monitoring and rapid response.
People-Powered Threat Hunting
Automation alone won’t cut it against today’s hackers, and this is where our human security experts come in. The Huntress Security Operations Center (SOC) fills a critical gap in your security with a team of always-on, global badasses on your side. They investigate threats, analyze tradecraft, and shut down attackers 24/7—all so you don’t have to.
8 min
Industry-leading mean time to respond (MTTR)*
Threat experts
across the globe
98.8%
Customer support satisfaction score
False positive rate
across 4M endpoints
Confirmed high/critical incident reports sen
Greynoiseio
Storm Watch
blogs_greynoiseio·CVSS 9.8
[CRITICAL] Storm Watch
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
https://crushftp.com/crush11wiki/Wiki.jsp?page=Update#section-Update-VulnerabilityInfohttps://outpost24.com/blog/crushftp-auth-bypass-vulnerability/https://attackerkb.com/topics/k0EgiL9Psz/cve-2025-2825/rapid7-analysishttps://projectdiscovery.io/blog/crushftp-authentication-bypasshttps://www.darkreading.com/vulnerabilities-threats/disclosure-drama-clouds-crushftp-vulnerability-exploitationhttps://www.huntress.com/blog/crushftp-cve-2025-31161-auth-bypass-and-post-exploitationhttps://www.infosecurity-magazine.com/news/crushftp-flaw-exploited-disclosure/https://www.vicarius.io/vsociety/posts/cve-2025-31161-detect-crushftp-vulnerabilityhttps://www.vicarius.io/vsociety/posts/cve-2025-31161-mitigate-crushftp-vulnerabilityhttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-31161
2025-04-03
Published
2025-04-07
Added to CISA KEV
Exploited in the wild