CVE-2025-31161 – This critical authentication bypass vulnerabili... (How to Fix)

Q: What is the severity of CVE-2025-31161?

CVE-2025-31161 has a CVSS score of 9.8 (CRITICAL). This critical authentication bypass vulnerability in CrushFTP allows unauthenticated attackers to gain administrative access by exploiting a race condition and header manipulation in the AWS4-HMAC authorization method. Attackers can authenticate as any known or guessable user (including the crushadmin account) without credentials, leading to full system compromise. All CrushFTP 10 and 11 installations before patched versions are affected.

📋 TL;DR

This critical authentication bypass vulnerability in CrushFTP allows unauthenticated attackers to gain administrative access by exploiting a race condition and header manipulation in the AWS4-HMAC authorization method. Attackers can authenticate as any known or guessable user (including the crushadmin account) without credentials, leading to full system compromise. All CrushFTP 10 and 11 installations before patched versions are affected.

💻 Affected Systems

Products:

CrushFTP

Versions: CrushFTP 10 before 10.8.4 and CrushFTP 11 before 11.3.1

Operating Systems: All platforms running CrushFTP

Default Config Vulnerable: ⚠️ Yes

Notes: DMZ proxy instances are NOT vulnerable. All other configurations are affected.

📦 What is this software?

Crushftp by Crushftp

View all CVEs affecting Crushftp →

Crushftp by Crushftp

View all CVEs affecting Crushftp →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system takeover with administrative privileges, data exfiltration, ransomware deployment, and persistent backdoor installation.

🟠

Likely Case

Administrative account compromise leading to sensitive data access, configuration changes, and potential lateral movement within the network.

🟢

If Mitigated

Limited impact if DMZ proxy configuration is used, but still significant risk of unauthorized access.

🌐 Internet-Facing: HIGH - Directly exploitable over HTTP/HTTPS without authentication, actively exploited in the wild.

🏢 Internal Only: HIGH - Even internal systems are vulnerable to authenticated users or attackers who gain initial foothold.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Actively exploited in the wild since March 2025. Exploitation is trivial with publicly available tools.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: CrushFTP 10.8.4 and CrushFTP 11.3.1

Vendor Advisory: https://crushftp.com/crush11wiki/Wiki.jsp?page=Update#section-Update-VulnerabilityInfo

Restart Required: Yes

Instructions:

1. Download latest version from CrushFTP website. 2. Backup current installation. 3. Install update following vendor instructions. 4. Restart CrushFTP service.

🔧 Temporary Workarounds

Enable DMZ Proxy Configuration

all

Configure CrushFTP to run behind a DMZ proxy, which prevents exploitation of this vulnerability.

Configure DMZ proxy per CrushFTP documentation: https://crushftp.com/crush11wiki/Wiki.jsp?page=DMZ

Network Segmentation

all

Restrict access to CrushFTP HTTP/HTTPS ports to trusted networks only.

Configure firewall rules to limit access to CrushFTP ports (typically 80, 443, 8080, 8443)

🧯 If You Can't Patch

Immediately implement DMZ proxy configuration as temporary mitigation
Isolate CrushFTP server from internet and restrict internal access to essential users only

🔍 How to Verify

Check if Vulnerable:

Check CrushFTP version in admin interface or via system logs. Versions before 10.8.4 (for v10) or 11.3.1 (for v11) are vulnerable.

Check Version:

Check CrushFTP admin panel or review server startup logs for version information

Verify Fix Applied:

Confirm version is 10.8.4 or higher (for v10) or 11.3.1 or higher (for v11) in admin interface.

📡 Detection & Monitoring

Log Indicators:

Failed AWS4-HMAC authentication attempts with malformed headers
Successful authentication from unusual IP addresses
Index-out-of-bounds errors in server logs

Network Indicators:

HTTP requests with malformed AWS4-HMAC headers containing only username and slash
Unusual authentication patterns to CrushFTP HTTP ports

SIEM Query:

source="crushftp.log" AND ("AWS4-HMAC" OR "index-out-of-bounds" OR "crushadmin login")

📊 Metadata

CVE ID: CVE-2025-31161

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-305

EPSS Score: 87.97% exploit probability (99.5th percentile)

CISA KEV: Actively Exploited added Apr 7, 2025

Published: April 3, 2025

Last Updated: October 31, 2025

🔗 References

https://crushftp.com/crush11wiki/Wiki.jsp?page=Update#section-Update-VulnerabilityInfo Vendor Advisory
https://outpost24.com/blog/crushftp-auth-bypass-vulnerability/ Third Party Advisory
https://attackerkb.com/topics/k0EgiL9Psz/cve-2025-2825/rapid7-analysis Exploit,Third Party Advisory
https://projectdiscovery.io/blog/crushftp-authentication-bypass Exploit,Third Party Advisory
https://www.darkreading.com/vulnerabilities-threats/disclosure-drama-clouds-crushftp-vulnerability-exploitation Press/Media Coverage
https://www.huntress.com/blog/crushftp-cve-2025-31161-auth-bypass-and-post-exploitation Exploit,Third Party Advisory
https://www.infosecurity-magazine.com/news/crushftp-flaw-exploited-disclosure/ Press/Media Coverage
https://www.vicarius.io/vsociety/posts/cve-2025-31161-detect-crushftp-vulnerability Exploit,Third Party Advisory
https://www.vicarius.io/vsociety/posts/cve-2025-31161-mitigate-crushftp-vulnerability Mitigation,Third Party Advisory
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-31161 US Government Resource

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-31161, you might also want to check these: