The Cybersecurity and Infrastructure Security Agency (CISA) has recently added a critical authentication bypass vulnerability in CrushFTP, a widely used file transfer application, to its Known Exploited Vulnerabilities (KEV) Catalog. This vulnerability, identified as CVE-2025-31161, is currently being actively exploited, posing significant security risks to organizations utilizing affected versions of the software.
Overview of the Vulnerability
CVE-2025-31161 affects CrushFTP versions 10.0.0 through 10.8.3 and 11.0.0 through 11.3.0. With a Common Vulnerability Scoring System (CVSS) score of 9.8, this flaw is classified as critical. It allows remote attackers to gain unauthenticated access to systems running unpatched instances of CrushFTP, potentially leading to full system compromise and data theft.
Technical Details
The vulnerability was discovered by security researchers at Outpost24. It originates from a critical issue in how CrushFTP processes S3 authorization headers. Specifically, a boolean flag named `lookup_user_pass` is used for dual purposes within the authentication chain. When this flag is set to true, it bypasses password verification due to a problematic condition in the `UserTools.java` file.
Exploitation of this vulnerability is relatively straightforward. An attacker can craft an HTTP request with an S3-style authorization header containing a valid username and a properly formatted `CrushAuth` cookie. If the username does not contain a tilde character, the system defaults to bypassing password verification entirely, allowing the attacker to authenticate as any known or guessable user without providing a password.
Exploitation in the Wild
According to the Shadowserver Foundation, numerous exploitation attempts targeting internet-exposed CrushFTP servers have been detected, with over 1,500 vulnerable instances identified online. Huntress researchers observed in-the-wild exploitation as early as March 30, 2025, with attackers leveraging the vulnerability to deploy remote management tools and other malware for post-exploitation activities.
CISA Directive and Remediation
On April 7, 2025, CISA added CVE-2025-31161 to its KEV catalog under Binding Operational Directive (BOD) 22-01. This directive mandates Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the specified due date. CISA emphasized that such vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.
CrushFTP addressed this vulnerability by releasing patches in versions 10.8.4 and 11.3.1 on March 21, 2025. Organizations unable to update immediately can enable the DMZ (demilitarized zone) perimeter network option as a temporary workaround.
While BOD 22-01 specifically applies to FCEB agencies, CISA strongly urges all organizations to prioritize remediation of this vulnerability as part of their vulnerability management practices. Security experts recommend immediate action to update CrushFTP installations to the patched versions, especially for internet-facing instances that could be targeted by opportunistic attackers.
Broader Implications
This incident underscores the critical importance of promptly addressing vulnerabilities in widely used software applications. File transfer applications like CrushFTP are attractive targets for threat actors due to the sensitive nature of the data they handle. Organizations should maintain vigilance and promptly apply security updates to mitigate potential compromises through such vulnerabilities.
In recent years, similar vulnerabilities in file transfer products have been exploited by ransomware gangs and state-backed actors. For instance, the Clop ransomware gang exploited zero-day vulnerabilities in MOVEit Transfer, GoAnywhere MFT, Accellion FTA, and Cleo software to steal data from thousands of organizations worldwide. These incidents highlight the ongoing threat posed by vulnerabilities in file transfer applications and the need for organizations to implement robust security measures.
Recommendations for Organizations
1. Immediate Patching: Organizations using CrushFTP versions 10.0.0 through 10.8.3 and 11.0.0 through 11.3.0 should upgrade to versions 10.8.4 or 11.3.1 immediately to mitigate the vulnerability.
2. Temporary Workarounds: If immediate patching is not feasible, enabling the DMZ feature in CrushFTP can serve as a temporary mitigation measure.
3. Network Monitoring: Implement continuous monitoring of network traffic to detect any unusual activities that may indicate exploitation attempts.
4. Access Controls: Review and strengthen access controls to limit exposure and reduce the risk of unauthorized access.
5. Incident Response Planning: Develop and regularly update incident response plans to ensure a swift and effective response to potential security incidents.
Conclusion
The active exploitation of CVE-2025-31161 in CrushFTP serves as a stark reminder of the importance of timely vulnerability management and the need for organizations to stay vigilant against emerging threats. By promptly applying patches and implementing robust security measures, organizations can protect their systems and sensitive data from potential compromise.
