• Vulnerable U
  • Posts
  • CrushFTP CVE-2025-31161 Targeted by Attackers

CrushFTP CVE-2025-31161 Targeted by Attackers

Author

Newsroom
April 08, 2025

A recently disclosed and much-discussed authentication bypass vulnerability in some versions of the CrushFTP server has been added to CISA’s Known Exploited Vulnerability catalog after researchers identified active exploitation activity targeting vulnerable instances. 

Why It Matters: This vulnerability is a critical vulnerability that can enable a remote, unauthenticated attacker to take over the admin account. Details of the vulnerability have been public for a couple of weeks, and researchers from the Shadowserver Foundation have identified about 1,500 vulnerable instances online. “​​A race condition exists in the AWS4-HMAC (compatible with S3) authorization method of the HTTP component of the FTP server. The server first verifies the existence of the user by performing a call to login_user_pass() with no password requirement. This will authenticate the session through the HMAC verification process and up until the server checks for user verification once more,” the CVE description says. 

Key Details

  • The bug affects CrushFTP 10 before 10.8.4 and 11 before 11.3.1

  • CrushFTP released updated versions of the software on March 21 to address the vulnerability 

  • Active attacks against this bug have been going on since at least the last week of March, and the details and PoC exploit code are publicly available

  • “Upon successful exploitation, an adversary may gain access to the administrator user account for the CrushFTP application, and leverage this to create new backdoor accounts, access files (upload and download), obtain code execution, and achieve full control of the vulnerable server,” Huntress researchers said.

Exploit Activity

With the details of the bug having been published more than two weeks ago, attackers have had ample time to have a look at the bug and the patch and figure out how to exploit it. The active attacks have been happening for at least a week now, and many different research teams have observed adversaries targeting the bug, although no one has specifically identified any named threat groups involved.