A critical authentication bypass flaw affecting CrushFTP has been added to the U.S. Cybersecurity and Infrastructure Security Agency (CISA)’s Known Exploited Vulnerabilities (KEV) catalog. This follows confirmed reports of active exploitation targeting unpatched systems.
Why It Matters
CrushFTP is a widely used secure file transfer solution. A successful exploit could allow attackers to impersonate administrative users and gain full system access. The flaw poses a significant risk to unpatched environments, especially in enterprise and government networks.
The vulnerability, now assigned CVE-2025-31161 with a CVSS score of 9.8, exists in the way CrushFTP handles HTTP authorization headers. It allows unauthenticated attackers to authenticate as any known or guessable user, such as “crushadmin.” The issue has been resolved in versions 10.8.4 and 11.3.1.
As of April 6, 2025, 815 instances remain unpatched worldwide. Most vulnerable deployments are in North America (487) and Europe (250).
What They’re Saying
CISA warned that the vulnerability “potentially leads to full compromise” of targeted systems through session hijacking using forged cookies and headers.
A proof-of-concept provided by researchers shows that setting specific cookies and using a crafted Authorization header can successfully bypass authentication.
Security researchers observed attackers leveraging access to deploy remote tools such as AnyDesk and MeshAgent.
In some cases, attackers added a new user (“CrushUser”) to the local administrators group and deployed a malicious binary implementing a Telegram bot library for command and control.
The Hacker News reported that this post-exploitation activity indicates attempts to maintain persistence and exfiltrate telemetry from compromised hosts.
The Bottom Line
All Federal Civilian Executive Branch (FCEB) agencies are mandated to patch affected systems by April 28, 2025. Other organizations using CrushFTP should immediately upgrade to the fixed versions to mitigate risk.
CVE-2025-31161 is actively exploited. Prompt patching and security hardening are critical to preventing unauthorized access and further compromise.
About Author
