CVE-2025-31161

CVE-2025-31161 is a critical-severity vulnerability in Crushftp with a CVSS 3.x base score of 9.8. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2025-04-07). The underlying weakness is classified as CWE-305.

Key facts

Description

CrushFTP 10 before 10.8.4 and 11 before 11.3.1 allows authentication bypass and takeover of the crushadmin account (unless a DMZ proxy instance is used), as exploited in the wild in March and April 2025, aka "Unauthenticated HTTP(S) port access." A race condition exists in the AWS4-HMAC (compatible with S3) authorization method of the HTTP component of the FTP server. The server first verifies the existence of the user by performing a call to login_user_pass() with no password requirement. This will authenticate the session through the HMAC verification process and up until the server checks for user verification once more. The vulnerability can be further stabilized, eliminating the need for successfully triggering a race condition, by sending a mangled AWS4-HMAC header. By providing only the username and a following slash (/), the server will successfully find a username, which triggers the successful anypass authentication process, but the server will fail to find the expected SignedHeaders entry, resulting in an index-out-of-bounds error that stops the code from reaching the session cleanup. Together, these issues make it trivial to authenticate as any known or guessable user (e.g., crushadmin), and can lead to a full compromise of the system by obtaining an administrative account.

CVE-2025-31161: CrushFTP Authentication Bypass via AWS4-HMAC (Critical, KEV)

AI-generated analysis based on the vulnerability data on this page.

Field Value
CVE CVE-2025-31161
CVSS v3 9.8 (CRITICAL)
CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS 0.99947 (99.95%)
EPSS Percentile 99.97th
KEV Yes (added 2025-04-07)
CWE CWE-305
Published 2025-04-03
Modified 2026-06-17

Summary

CrushFTP versions 10 (prior to 10.8.4) and 11 (prior to 11.3.1) are affected by an authentication bypass vulnerability in the AWS4-HMAC authorization path of the HTTP(S) component. The flaw allows an unauthenticated remote attacker to authenticate as any known or guessable user — most critically the built-in crushadmin account — leading to full administrative compromise. This vulnerability has been actively exploited in the wild since March and April 2025.

Background

CrushFTP is a popular multi-protocol file transfer server supporting FTP, FTPS, SFTP, HTTP, and HTTPS. The HTTP(S) component includes an S3-compatible API that uses AWS Signature Version 4 (AWS4-HMAC) for request authentication. During routine security research, a flaw was discovered in how CrushFTP validates AWS4-HMAC signatures prior to user verification, creating a window where authentication can succeed without valid credentials.

Root Cause

CWE-305: Authentication Bypass by Primary Weakness

The vulnerability stems from a logic flaw in the AWS4-HMAC authentication handler within CrushFTP's HTTP component. The server initiates authentication by calling login_user_pass() to verify the existence of a username without requiring a password at that stage. The session is then advanced through the HMAC verification process. A race condition exists between the initial user lookup and the subsequent verification check.

Additionally, the vulnerability can be stabilized by sending a malformed AWS4-HMAC header containing only the username followed by a slash (/). This causes the server to successfully locate the username and trigger an "anypass" authentication path, but then fails to find the expected SignedHeaders entry, resulting in an index-out-of-bounds exception that prevents the session from being properly cleaned up. The combination of these issues makes authentication bypass trivial and reliable.

Impact

With a CVSS v3 score of 9.8 (CRITICAL), this vulnerability presents severe risk:

Metric Value Implication
Attack Vector Network Exploitable remotely over HTTP(S)
Attack Complexity Low No special conditions required
Privileges Required None Fully unauthenticated
User Interaction None No victim action needed
Scope Unchanged Impact limited to the vulnerable component
Confidentiality High Full access to files and configurations
Integrity High Ability to modify data and accounts
Availability High Potential for service disruption

Successful exploitation grants an attacker administrative access to the CrushFTP server, enabling file exfiltration, configuration tampering, backdoor installation, and lateral movement within the hosting environment.

Exploitation Walkthrough

Ethics Notice: The following description is provided for defensive awareness and detection engineering only. Attempting to exploit systems without explicit authorization is illegal and unethical.

The attack leverages the AWS4-HMAC authentication flow in CrushFTP's HTTP(S) interface:

  1. The attacker sends a request to the HTTP(S) port with an AWS4-HMAC authorization header targeting a known or guessable username (commonly crushadmin).
  2. The server looks up the username via login_user_pass() without validating the password, creating an authenticated session context.
  3. Due to the race condition or by sending a malformed header (username followed by /), the HMAC verification process completes or errors out in a way that bypasses the final credential check.
  4. The attacker gains an authenticated session as the targeted user, effectively achieving administrative takeover.

Organizations should treat any CrushFTP instance exposed to the internet as potentially compromised if it was running a vulnerable version during the March–April 2025 exploitation window.

Affected and Patched Versions

Status Versions
Affected CrushFTP 10.x < 10.8.4
Affected CrushFTP 11.x < 11.3.1
Patched CrushFTP 10.8.4 and later
Patched CrushFTP 11.3.1 and later

Note: Deployments using a DMZ proxy instance are not vulnerable to the crushadmin account takeover, though other impacts may still apply depending on configuration.

Remediation

  1. Upgrade immediately to CrushFTP 10.8.4 or 11.3.1 (or later). The vendor has released patches that address the authentication bypass.
  2. Apply network segmentation. Restrict CrushFTP HTTP(S) ports to trusted IP ranges where possible. Do not expose administrative interfaces to the public internet.
  3. Implement a DMZ proxy. If not already in use, consider deploying a DMZ proxy instance to insulate the main server from direct internet exposure.
  4. Review and rotate credentials. After patching, force password resets for all CrushFTP accounts — especially crushadmin and other privileged accounts — and audit account configurations for unauthorized changes.
  5. Inspect for persistence. Check for newly created accounts, modified permissions, unexpected scheduled jobs, or unauthorized file uploads that may indicate prior compromise.

Detection

  • Network: Monitor HTTP(S) traffic to CrushFTP for requests containing malformed or truncated AWS4-HMAC authorization headers, particularly those with unusual Credential or SignedHeaders fields.
  • Authentication Logs: Look for successful logins from unexpected source IPs, especially for the crushadmin account or other high-privilege users.
  • Endpoint: Hunt for anomalous child processes spawned by the CrushFTP service, unexpected file system modifications, or new user accounts created outside of change-management windows.
  • Threat Intelligence: Correlate source IPs against known indicators of compromise from CISA KEV and security vendor reports published in April 2025.

Assessment

This vulnerability is exceptionally dangerous due to its trivial exploitability and active exploitation in the wild. An EPSS score of 0.99947 (99.95th percentile) indicates near-certain exploitation probability, and CISA added it to the Known Exploited Vulnerabilities catalog on 2025-04-07 — just four days after public disclosure. The EU also flagged it as exploited (EUVD-2025-9910) on the same date.

Key takeaways:

  1. Authentication state machines are high-risk targets. Splitting credential verification across multiple phases (user lookup → HMAC validation → final check) introduces race conditions and logic bypass opportunities. Security-critical code paths should be designed with atomic, fail-closed semantics.
  2. The disclosure timeline amplified impact. Public exploitation began in March 2025, and the coordinated disclosure process became contentious. Organizations relying solely on patch Tuesdays or delayed patching cycles were left exposed during a period of mass exploitation. Critical infrastructure exposed to the internet must be patchable within hours, not weeks.

References

Frequently asked questions

What is CVE-2025-31161?
CrushFTP 10 before 10.8.4 and 11 before 11.3.1 allows authentication bypass and takeover of the crushadmin account (unless a DMZ proxy instance is used), as exploited in the wild in March and April 2025, aka "Unauthenticated HTTP(S) port access." A race condition exists in the AWS4-HMAC (compatible with S3) authorization method of the HTTP component of the FTP server. The server first verifies the existence of the user by performing a call to login_user_pass() with no password requirement. This will authenticate the session through the HMAC verification process and up until the server checks for user verification once more. The vulnerability can be further stabilized, eliminating the need for successfully triggering a race condition, by sending a mangled AWS4-HMAC header. By providing only the username and a following slash (/), the server will successfully find a username, which triggers the successful anypass authentication process, but the server will fail to find the expected SignedHeaders entry, resulting in an index-out-of-bounds error that stops the code from reaching the session cleanup. Together, these issues make it trivial to authenticate as any known or guessable user (e.g., crushadmin), and can lead to a full compromise of the system by obtaining an administrative account.
How severe is CVE-2025-31161?
CVE-2025-31161 has a CVSS 3.x base score of 9.8, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
Is CVE-2025-31161 being actively exploited?
Yes. CVE-2025-31161 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2025-04-07, which means active exploitation has been confirmed. It should be prioritised for remediation.
What products are affected by CVE-2025-31161?
CVE-2025-31161 affects Crushftp. See the affected-products list for the exact vulnerable versions.
How do I fix CVE-2025-31161?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
Does CVE-2025-31161 have an EU (EUVD) identifier?
Yes. CVE-2025-31161 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2025-9910. It is also flagged as exploited in the EUVD (since 2025-04-07).
When was CVE-2025-31161 published?
CVE-2025-31161 was published on 2025-04-03 and last updated on 2026-06-17.

References

Affected products (1)

More vulnerabilities in Crushftp

All CVEs affecting Crushftp →

Other CWE-305 vulnerabilities

Browse all CWE-305 vulnerabilities →