CVE-2025-31161
CVE-2025-31161 is a critical-severity vulnerability in Crushftp with a CVSS 3.x base score of 9.8. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2025-04-07). The underlying weakness is classified as CWE-305.
Key facts
- Severity: Critical (CVSS 3.x base score 9.8)
- EPSS exploit prediction: 100% (100th percentile)
- Actively exploited: Yes — listed in CISA KEV (added 2025-04-07)
- EU (EUVD) id: EUVD-2025-9910
- EU exploitation: Flagged exploited in the ENISA EU Vulnerability Database (since 2025-04-07)
- Weakness: CWE-305
- Affected product: Crushftp
- Published:
- Last modified:
Description
CrushFTP 10 before 10.8.4 and 11 before 11.3.1 allows authentication bypass and takeover of the crushadmin account (unless a DMZ proxy instance is used), as exploited in the wild in March and April 2025, aka "Unauthenticated HTTP(S) port access." A race condition exists in the AWS4-HMAC (compatible with S3) authorization method of the HTTP component of the FTP server. The server first verifies the existence of the user by performing a call to login_user_pass() with no password requirement. This will authenticate the session through the HMAC verification process and up until the server checks for user verification once more. The vulnerability can be further stabilized, eliminating the need for successfully triggering a race condition, by sending a mangled AWS4-HMAC header. By providing only the username and a following slash (/), the server will successfully find a username, which triggers the successful anypass authentication process, but the server will fail to find the expected SignedHeaders entry, resulting in an index-out-of-bounds error that stops the code from reaching the session cleanup. Together, these issues make it trivial to authenticate as any known or guessable user (e.g., crushadmin), and can lead to a full compromise of the system by obtaining an administrative account.
CVE-2025-31161: CrushFTP Authentication Bypass via AWS4-HMAC (Critical, KEV)
AI-generated analysis based on the vulnerability data on this page.
| Field | Value |
|---|---|
| CVE | CVE-2025-31161 |
| CVSS v3 | 9.8 (CRITICAL) |
| CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| EPSS | 0.99947 (99.95%) |
| EPSS Percentile | 99.97th |
| KEV | Yes (added 2025-04-07) |
| CWE | CWE-305 |
| Published | 2025-04-03 |
| Modified | 2026-06-17 |
Summary
CrushFTP versions 10 (prior to 10.8.4) and 11 (prior to 11.3.1) are affected by an authentication bypass vulnerability in the AWS4-HMAC authorization path of the HTTP(S) component. The flaw allows an unauthenticated remote attacker to authenticate as any known or guessable user — most critically the built-in crushadmin account — leading to full administrative compromise. This vulnerability has been actively exploited in the wild since March and April 2025.
Background
CrushFTP is a popular multi-protocol file transfer server supporting FTP, FTPS, SFTP, HTTP, and HTTPS. The HTTP(S) component includes an S3-compatible API that uses AWS Signature Version 4 (AWS4-HMAC) for request authentication. During routine security research, a flaw was discovered in how CrushFTP validates AWS4-HMAC signatures prior to user verification, creating a window where authentication can succeed without valid credentials.
Root Cause
CWE-305: Authentication Bypass by Primary Weakness
The vulnerability stems from a logic flaw in the AWS4-HMAC authentication handler within CrushFTP's HTTP component. The server initiates authentication by calling login_user_pass() to verify the existence of a username without requiring a password at that stage. The session is then advanced through the HMAC verification process. A race condition exists between the initial user lookup and the subsequent verification check.
Additionally, the vulnerability can be stabilized by sending a malformed AWS4-HMAC header containing only the username followed by a slash (/). This causes the server to successfully locate the username and trigger an "anypass" authentication path, but then fails to find the expected SignedHeaders entry, resulting in an index-out-of-bounds exception that prevents the session from being properly cleaned up. The combination of these issues makes authentication bypass trivial and reliable.
Impact
With a CVSS v3 score of 9.8 (CRITICAL), this vulnerability presents severe risk:
| Metric | Value | Implication |
|---|---|---|
| Attack Vector | Network | Exploitable remotely over HTTP(S) |
| Attack Complexity | Low | No special conditions required |
| Privileges Required | None | Fully unauthenticated |
| User Interaction | None | No victim action needed |
| Scope | Unchanged | Impact limited to the vulnerable component |
| Confidentiality | High | Full access to files and configurations |
| Integrity | High | Ability to modify data and accounts |
| Availability | High | Potential for service disruption |
Successful exploitation grants an attacker administrative access to the CrushFTP server, enabling file exfiltration, configuration tampering, backdoor installation, and lateral movement within the hosting environment.
Exploitation Walkthrough
Ethics Notice: The following description is provided for defensive awareness and detection engineering only. Attempting to exploit systems without explicit authorization is illegal and unethical.
The attack leverages the AWS4-HMAC authentication flow in CrushFTP's HTTP(S) interface:
- The attacker sends a request to the HTTP(S) port with an AWS4-HMAC authorization header targeting a known or guessable username (commonly
crushadmin). - The server looks up the username via
login_user_pass()without validating the password, creating an authenticated session context. - Due to the race condition or by sending a malformed header (username followed by
/), the HMAC verification process completes or errors out in a way that bypasses the final credential check. - The attacker gains an authenticated session as the targeted user, effectively achieving administrative takeover.
Organizations should treat any CrushFTP instance exposed to the internet as potentially compromised if it was running a vulnerable version during the March–April 2025 exploitation window.
Affected and Patched Versions
| Status | Versions |
|---|---|
| Affected | CrushFTP 10.x < 10.8.4 |
| Affected | CrushFTP 11.x < 11.3.1 |
| Patched | CrushFTP 10.8.4 and later |
| Patched | CrushFTP 11.3.1 and later |
Note: Deployments using a DMZ proxy instance are not vulnerable to the crushadmin account takeover, though other impacts may still apply depending on configuration.
Remediation
- Upgrade immediately to CrushFTP 10.8.4 or 11.3.1 (or later). The vendor has released patches that address the authentication bypass.
- Apply network segmentation. Restrict CrushFTP HTTP(S) ports to trusted IP ranges where possible. Do not expose administrative interfaces to the public internet.
- Implement a DMZ proxy. If not already in use, consider deploying a DMZ proxy instance to insulate the main server from direct internet exposure.
- Review and rotate credentials. After patching, force password resets for all CrushFTP accounts — especially
crushadminand other privileged accounts — and audit account configurations for unauthorized changes. - Inspect for persistence. Check for newly created accounts, modified permissions, unexpected scheduled jobs, or unauthorized file uploads that may indicate prior compromise.
Detection
- Network: Monitor HTTP(S) traffic to CrushFTP for requests containing malformed or truncated AWS4-HMAC authorization headers, particularly those with unusual
CredentialorSignedHeadersfields. - Authentication Logs: Look for successful logins from unexpected source IPs, especially for the
crushadminaccount or other high-privilege users. - Endpoint: Hunt for anomalous child processes spawned by the CrushFTP service, unexpected file system modifications, or new user accounts created outside of change-management windows.
- Threat Intelligence: Correlate source IPs against known indicators of compromise from CISA KEV and security vendor reports published in April 2025.
Assessment
This vulnerability is exceptionally dangerous due to its trivial exploitability and active exploitation in the wild. An EPSS score of 0.99947 (99.95th percentile) indicates near-certain exploitation probability, and CISA added it to the Known Exploited Vulnerabilities catalog on 2025-04-07 — just four days after public disclosure. The EU also flagged it as exploited (EUVD-2025-9910) on the same date.
Key takeaways:
- Authentication state machines are high-risk targets. Splitting credential verification across multiple phases (user lookup → HMAC validation → final check) introduces race conditions and logic bypass opportunities. Security-critical code paths should be designed with atomic, fail-closed semantics.
- The disclosure timeline amplified impact. Public exploitation began in March 2025, and the coordinated disclosure process became contentious. Organizations relying solely on patch Tuesdays or delayed patching cycles were left exposed during a period of mass exploitation. Critical infrastructure exposed to the internet must be patchable within hours, not weeks.
References
- https://crushftp.com/crush11wiki/Wiki.jsp?page=Update#section-Update-VulnerabilityInfo
- https://outpost24.com/blog/crushftp-auth-bypass-vulnerability/
- https://attackerkb.com/topics/k0EgiL9Psz/cve-2025-2825/rapid7-analysis
- https://projectdiscovery.io/blog/crushftp-authentication-bypass
- https://www.darkreading.com/vulnerabilities-threats/disclosure-drama-clouds-crushftp-vulnerability-exploitation
- https://www.huntress.com/blog/crushftp-cve-2025-31161-auth-bypass-and-post-exploitation
- https://www.infosecurity-magazine.com/news/crushftp-flaw-exploited-disclosure/
- https://www.vicarius.io/vsociety/posts/cve-2025-31161-detect-crushftp-vulnerability
- https://www.vicarius.io/vsociety/posts/cve-2025-31161-mitigate-crushftp-vulnerability
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-31161
Frequently asked questions
- What is CVE-2025-31161?
- CrushFTP 10 before 10.8.4 and 11 before 11.3.1 allows authentication bypass and takeover of the crushadmin account (unless a DMZ proxy instance is used), as exploited in the wild in March and April 2025, aka "Unauthenticated HTTP(S) port access." A race condition exists in the AWS4-HMAC (compatible with S3) authorization method of the HTTP component of the FTP server. The server first verifies the existence of the user by performing a call to login_user_pass() with no password requirement. This will authenticate the session through the HMAC verification process and up until the server checks for user verification once more. The vulnerability can be further stabilized, eliminating the need for successfully triggering a race condition, by sending a mangled AWS4-HMAC header. By providing only the username and a following slash (/), the server will successfully find a username, which triggers the successful anypass authentication process, but the server will fail to find the expected SignedHeaders entry, resulting in an index-out-of-bounds error that stops the code from reaching the session cleanup. Together, these issues make it trivial to authenticate as any known or guessable user (e.g., crushadmin), and can lead to a full compromise of the system by obtaining an administrative account.
- How severe is CVE-2025-31161?
- CVE-2025-31161 has a CVSS 3.x base score of 9.8, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
- Is CVE-2025-31161 being actively exploited?
- Yes. CVE-2025-31161 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2025-04-07, which means active exploitation has been confirmed. It should be prioritised for remediation.
- What products are affected by CVE-2025-31161?
- CVE-2025-31161 affects Crushftp. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2025-31161?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
- Does CVE-2025-31161 have an EU (EUVD) identifier?
- Yes. CVE-2025-31161 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2025-9910. It is also flagged as exploited in the EUVD (since 2025-04-07).
- When was CVE-2025-31161 published?
- CVE-2025-31161 was published on 2025-04-03 and last updated on 2026-06-17.
References
- https://crushftp.com/crush11wiki/Wiki.jsp?page=Update#section-Update-VulnerabilityInfo
- https://outpost24.com/blog/crushftp-auth-bypass-vulnerability/
- https://attackerkb.com/topics/k0EgiL9Psz/cve-2025-2825/rapid7-analysis
- https://projectdiscovery.io/blog/crushftp-authentication-bypass
- https://www.darkreading.com/vulnerabilities-threats/disclosure-drama-clouds-crushftp-vulnerability-exploitation
- https://www.huntress.com/blog/crushftp-cve-2025-31161-auth-bypass-and-post-exploitation
- https://www.infosecurity-magazine.com/news/crushftp-flaw-exploited-disclosure/
- https://www.vicarius.io/vsociety/posts/cve-2025-31161-detect-crushftp-vulnerability
- https://www.vicarius.io/vsociety/posts/cve-2025-31161-mitigate-crushftp-vulnerability
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-31161
Affected products (1)
- cpe:2.3:a:crushftp:crushftp:*:*:*:*:*:*:*:*
More vulnerabilities in Crushftp
- CVE-2024-53552 — Critical (CVSS 9.8): CrushFTP 10 before 10.8.3 and 11 before 11.2.3 mishandles password reset, leading to account takeover.
- CVE-2024-4040 — Critical (CVSS 9.8): A server side template injection vulnerability in CrushFTP in all versions before 10.7.1 and 11.1.0 on all platforms…
- CVE-2023-43177 — Critical (CVSS 9.8): CrushFTP prior to 10.5.1 is vulnerable to Improperly Controlled Modification of Dynamically-Determined Object…
- CVE-2017-14035 — Critical (CVSS 9.8): CrushFTP 8.x before 8.2.0 has a serialization vulnerability.
- CVE-2025-54309 — Critical (CVSS 9.0): CrushFTP 10 before 10.8.5 and 11 before 11.3.4_23, when the DMZ proxy feature is not used, mishandles AS2 validation…
- CVE-2025-63419 — Medium (CVSS 6.1): Cross Site Scripting (XSS) vulnerability in CrushFTP 11.3.6_48. The Web-Based Server has a feature where users can…
Other CWE-305 vulnerabilities
- CVE-2025-4320 — Critical (CVSS 10.0): Authentication Bypass by Primary Weakness, Weak Password Recovery Mechanism for Forgotten Password vulnerability in…
- CVE-2025-24522 — Critical (CVSS 10.0): KUNBUS Revolution Pi OS Bookworm 01/2025 is vulnerable because authentication is not configured by default for the…
- CVE-2024-36388 — Critical (CVSS 10.0): MileSight DeviceHub - CWE-305 Missing Authentication for Critical Function
- CVE-2024-1403 — Critical (CVSS 10.0): In OpenEdge Authentication Gateway and AdminServer prior to 11.7.19, 12.2.14, 12.8.1 on all platforms supported by the…
- CVE-2026-25555 — Critical (CVSS 9.8): OpenBullet2 through version 0.3.2 contains an authentication bypass vulnerability in the API key authentication…
- CVE-2026-4670 — Critical (CVSS 9.8): Authentication bypass by primary weakness vulnerability in Progress Software MOVEit Automation allows Authentication…