Introduction
A critical authentication bypass vulnerability has been identified in CrushFTP, a popular file transfer software. This vulnerability, tracked as CVE-2025-31161 and CVE-2025-2825, allows remote attackers to gain unauthorized access to systems running unpatched versions of the software [1]. The flaw affects multiple versions of CrushFTP and poses a significant security risk, making it an attractive target for malicious actors, including ransomware gangs.
Description
A critical authentication bypass vulnerability in CrushFTP [1] [2] [4] [6] [7], tracked as CVE-2025-31161 and also identified as CVE-2025-2825, allows remote attackers to gain unauthorized access to systems running unpatched versions of the software through unauthenticated HTTP requests. This flaw affects CrushFTP versions 10.0.0 through 10.8.3 and 11.0.0 through 11.3.0 [6], enabling exploitation via exposed HTTPS ports. The vulnerability has a CVSSv3.1 severity score of 9.8 [7], raising significant concerns as over 1,800 vulnerable instances were identified online, with more than 1,500 remaining unpatched as of late March 2025. This makes file transfer products like CrushFTP attractive targets for ransomware gangs [1].
The vulnerability arises from a race condition in the AWS4-HMAC authentication method within the HTTP component of CrushFTP [3], specifically in the loginCheckHeaderAuth() method [4], which processes HTTP requests with S3-style authorization headers [4]. This issue allows attackers to authenticate as any known or guessable user [3], including the default “crushadmin” account, by sending a manipulated Authorization header [1] [7]. The server initially verifies user existence by invoking the internal authentication mechanism without requiring a password [1], allowing session authentication through HMAC verification before a subsequent user verification check [3]. Although the session is intended to be invalidated if incorrect data is supplied, the race condition can allow the session to remain authenticated for a brief period [1]. By stabilizing the attack with a malformed AWS4-HMAC header [7], attackers can make the session permanent [1], leading to a full system compromise [1], especially since many users opt for easily guessable usernames [1].
CrushFTP publicly disclosed the vulnerability on March 21, 2025, following a request for a CVE by Outpost24 on March 13 [5]. The company has since released patches to address this critical issue, urging users to update to versions 10.8.4 or 11.3.1 and later immediately [1] [7]. In a security advisory [7], CrushFTP emphasized the urgency of patching [7], warning that an exposed HTTPS port could enable unauthorized access [7]. Despite the issuance of patches [2], many servers remain unpatched [2] [6], with observed exploitation attempts leveraging publicly available Proof-of-Concept (PoC) exploit code released by ProjectDiscovery. The Shadowserver Foundation has reported widespread attacks exploiting this vulnerability. If immediate patching is not feasible [1] [7], organizations are advised to enable DMZ perimeter network configurations as a temporary workaround, monitor system logs for unusual authentication attempts [7], and restrict public-facing access to CrushFTP servers to reduce exposure and prevent exploitation. Additionally, Rapid7 has released Indicators of Compromise (IOCs) to assist in identifying potential intrusions related to this vulnerability [2].
The risks associated with this vulnerability are significant, including potential data breaches and operational disruptions [6], which could lead to financial losses and reputational damage [6]. Organizations may also face regulatory compliance issues if sensitive data is exposed due to an unpatched system [6], underscoring the need for prompt action to mitigate these risks. CrushFTP has criticized the premature sharing of details by firms [5], which may have accelerated exploitation [5], and emphasizes the importance of responsible disclosure in addressing such vulnerabilities.
Conclusion
The CrushFTP vulnerability presents a severe threat to organizations using the software, with potential consequences including data breaches, financial losses [6], and reputational harm [6]. Immediate patching is crucial to mitigate these risks, and organizations should consider additional security measures such as network configuration adjustments and monitoring for unusual activity. The incident underscores the importance of responsible disclosure and timely response to vulnerabilities to prevent exploitation and protect sensitive data.
References
[1] https://outpost24.com/blog/crushftp-auth-bypass-vulnerability/
[2] https://socradar.io/crushftp-vulnerability-exploitation-cve-2025-31161/
[3] https://www.tenable.com/cve/CVE-2025-31161
[4] https://www.esentire.com/security-advisories/crushftp-authentication-bypass
[5] https://thecyberwire.com/podcasts/daily-podcast/2279/transcript
[6] https://1898advisories.burnsmcd.com/active-exploitation-of-crushftp-vulnerability
[7] https://www.infosecurity-magazine.com/news/crushftp-flaw-exploited-disclosure/
