CrushFTP CVE-2025-31161 Vulnerability

Executive Summary

On March 21, 2025, a critical vulnerability was discovered in CrushFTP, identified as CVE-2025-31161. This allows for an authentication bypass via unauthenticated HTTP(s) port access. It affects CrushFTP versions 10 and 11. It is highly recommended that users upgrade to the latest versions immediately.

Background

CrushFTP is a file transfer server software that facilitates secure file sharing over the internet [3]. It uses protocols such as FTP, FTPS, and HTTPS for either simple or complex file sharing. CVE-2025-31161 is a vulnerability that allows attackers to bypass authentication by exploiting a flaw in the HTTP(s) port. The flaw occurs due to the improper handling of the HTTP authorization header. It targets the AWS4-HMAC-SHA256 authentication, used for Amazon services.

Outpost24 analysts discovered CVE-2025-31161, and on March 13, 2025, Outpost24 collaborated with MITRE for a CVE and entered a 90-day nondisclosure agreement with CrushFTP. This agreement would give time for users to implement patches before public disclosure of details was made and for any potential exploitation. However, VulnCheck leaked the vulnerability under a non-secure identifier, CVE-2025-2825, leading to active exploitation of the flaw [4].

Exploitation

To bypass the authentication, hitting a gap window is required, called a race condition. This exists in the AWS4-HMAC authentication process, which checks if a user exists without a password. Before the server finishes verifying the user, this gap window can allow attackers to skip the authentication by sending a malicious AWS4-HMAC header. 

Significance and Impact

CVE-2025-31161 allows attackers to gain unauthorized access to CrushFTP servers without proper credential validation. The default admin username, often set as “crushadmin” or other easily guessable usernames, creates an easy target for privilege escalation. Successful exploitation can result in severe server compromise, execution of ransomware, and data exfiltration. As of March 30, 2025, over 1,500 CrushFTP servers remain unpatched [1]. This increases the risk of potential widespread exploitation, especially due to the early disclosure of the vulnerability under CVE-2025-2825. 

Mitigation

To address CVE-2025-31161, users should apply the latest security versions of CrushFTP, version 10.8.4 or higher and 11.3.1 or higher. Enabling automatic updates causes the “daily_check_and_auto_update_on_idle” flag to be true in the configuration preferences [2]. In some cases, like in older Windows operating systems, automatic updates may fail. To fix this, “.jar_tmp” files should be renamed to “.jar” files. Additional mitigations include enabling the demilitarized zone perimeter network option for isolation from the internet, enforcing strong passwords, and monitoring server logs for failed login attempts. These measures prevent further attacks of exploitation.

Conclusion

The critical vulnerability CVE-2025-31161 allows attackers to bypass authentication on CrushFTP servers. Due to its early CVE disclosure, thousands of servers remain unpatched, putting sensitive data at risk. Users should immediately upgrade to the latest patched versions and continue to implement security best practices.

References

[1] Mascellino, A. (2025, April 3). “CrushFTP Vulnerability Exploited Following Disclosure Issues.” https://www.infosecurity-magazine.com/news/crushftp-flaw-exploited-disclosure/

[2] Spink, B. (2025, March 21). “Update.” CrushFTP. https://www.crushftp.com/crush11wiki/Wiki.jsp?page=Update

[3] Varnai, K. and M. White. (2025, April 2). “CrushFTP auth bypass vulnerability: Disclosure mess leads to attacks.” Outpost24. https://outpost24.com/blog/crushftp-auth-bypass-vulnerability/#whats-crushftp

[4] Wright, R. (2025, April 3). “Disclosure Drama Clouds CrushFTP Vulnerability Exploitation.” Dark Reading. https://www.darkreading.com/vulnerabilities-threats/disclosure-drama-clouds-crushftp-vulnerability-exploitation