CrushFTP Vulnerability Exploited Following Disclosure Issues

A critical authentication bypass vulnerability in CrushFTP, identified as CVE-2025-31161, has been actively exploited by remote attackers following a mishandled disclosure process.

The flaw, which allows unauthenticated access to devices running unpatched versions of CrushFTP v10 or v11, has a CVSSv3.1 severity score of 9.8.

Security analysts at Outpost24 said they originally discovered the vulnerability and sought to follow a responsible disclosure timeline, working with MITRE to secure a CVE on March 13 2025.

They coordinated with CrushFTP under an agreed 90-day non-disclosure period to ensure users had sufficient time to patch before details became public.

However, the disclosure process was disrupted when another party allegedly published a separate CVE – CVE-2025-2825 – without consulting Outpost24 or CrushFTP. This led to the vulnerability becoming widely known before users could update their systems, resulting in active exploitation.

Over 1500 vulnerable instances have been identified online by the Shadowserver Foundation.

Since file transfer services like CrushFTP are frequent targets for ransomware groups, the risk of compromise is high. In response, CrushFTP has released patches, urging users to update to versions 10.8.4 or 11.3.1 immediately.

In a security advisory sent to customers on March 21 2025, CrushFTP emphasized the urgency of patching, warning that an exposed HTTP(S) port could enable unauthorized access. As a temporary mitigation, enabling the DMZ perimeter network option is recommended for those unable to apply the fix immediately.

Read more on securing enterprise file transfer solutions against emerging threats: Learning from File Transfer Software Vendors’ Vulnerability Response

The vulnerability stems from an issue in the AWS4-HMAC authentication method of CrushFTP’s HTTP component.

Attackers can exploit a race condition to temporarily authenticate as any user, including administrators, by sending a manipulated Authorization header. By further stabilizing the attack with a malformed request, they can maintain persistent access to the system. The vulnerability is especially dangerous because many administrators use the default “crushadmin” username.

To recreate the issue, attackers generate a session token, set specific cookies and send an HTTP GET request with a crafted authorization header. This process grants unauthorized access and enables attackers to execute commands as an administrator.

Organizations using CrushFTP should take the following actions immediately:

• Update to CrushFTP version 10.8.4 or 11.3.1 and later to patch the vulnerability
• Enable the DMZ perimeter network option if immediate patching is not feasible
• Monitor system logs for unusual authentication attempts to detect potential compromise
• Restrict public-facing access to CrushFTP servers where possible to reduce exposure

Given the ongoing exploitation of CVE-2025-31161, securing file transfer infrastructure against future vulnerabilities remains critical.