The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has recently incorporated a critical security flaw affecting CrushFTP into its Known Exploited Vulnerabilities (KEV) catalog. This action follows reports of active exploitation of the vulnerability in real-world scenarios.
Understanding the Vulnerability
The identified vulnerability, designated as CVE-2025-31161 with a CVSS score of 9.8, is an authentication bypass issue within CrushFTP’s HTTP authorization header. This flaw enables remote, unauthenticated attackers to gain access to any known or guessable user account, such as the default ‘crushadmin,’ potentially leading to full system compromise. The vulnerability has been addressed in CrushFTP versions 10.8.4 and 11.3.1.
Details of the Exploitation
Huntress, a cybersecurity firm, observed active exploitation of CVE-2025-31161 on April 3, 2025. Their investigation revealed that attackers utilized the vulnerability to install legitimate remote desktop software like AnyDesk and MeshAgent, facilitating persistent access to compromised systems. The exploitation efforts targeted four distinct hosts across different companies, including those in the marketing, retail, and semiconductor sectors. Notably, three of the affected entities were hosted by the same managed service provider (MSP).
Controversy Surrounding the Disclosure Process
The disclosure process for this vulnerability has been marked by confusion and controversy. Initially, VulnCheck, acting as a CVE Numbering Authority (CNA), assigned the identifier CVE-2025-2825 to the flaw. However, this identifier was later rejected in favor of CVE-2025-31161, assigned by MITRE. Outpost24, credited with responsibly disclosing the flaw to CrushFTP, clarified that they requested a CVE number from MITRE on March 13, 2025, and coordinated with CrushFTP to ensure fixes were implemented within a 90-day disclosure period. The assignment of CVE-2025-31161 by MITRE occurred on March 27, by which time VulnCheck had already released a CVE identifier without prior consultation with CrushFTP or Outpost24.
Technical Exploitation Steps
Outpost24 provided a method to exploit the vulnerability without divulging extensive technical details:
1. Generate a random alphanumeric session token of at least 31 characters.
2. Set a cookie named ‘CrushAuth’ to the value generated in step 1.
3. Set a cookie named ‘currentAuth’ to the last four characters of the value from step 1.
4. Perform an HTTP GET request to the target’s ‘/WebInterface/function/’ endpoint, including the cookies from steps 2 and 3, and an Authorization header formatted as AWS4-HMAC=
Executing these steps results in the session being authenticated as the specified user, granting the attacker the ability to perform any actions permitted to that user.
Implications for Organizations
The active exploitation of this vulnerability underscores the critical need for organizations using CrushFTP to promptly update their systems to the patched versions (10.8.4 or 11.3.1). Failure to do so leaves systems susceptible to unauthorized access and potential data breaches.
Recommendations for Mitigation
To mitigate the risks associated with CVE-2025-31161, organizations should:
1. Update Systems: Immediately upgrade CrushFTP to versions 10.8.4 or 11.3.1, which contain the necessary patches for this vulnerability.
2. Monitor for Unusual Activity: Implement continuous monitoring to detect unauthorized access or unusual system behavior that may indicate exploitation attempts.
3. Review Access Controls: Evaluate and strengthen access control policies to ensure that only authorized personnel have access to critical systems and data.
4. Educate Staff: Provide training to employees on recognizing phishing attempts and other common attack vectors that could be used in conjunction with this vulnerability.
5. Develop an Incident Response Plan: Establish and regularly update an incident response plan to swiftly address potential security breaches.
Conclusion
The inclusion of CVE-2025-31161 in CISA’s KEV catalog highlights the severity of the CrushFTP authentication bypass vulnerability and the importance of immediate remediation. Organizations must act swiftly to update their systems and implement robust security measures to protect against potential exploits.
