Cyber Resilience

CVE-2025-31161

CriticalCISA KEVActive ExploitationEUVD ExploitedPublic PoCRansomware-linked

Published: 03 April 2025

Published
03 April 2025
Modified
31 October 2025
KEV Added
07 April 2025
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.8894 99.5th percentile
Risk Priority 93 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-31161 is a critical-severity Authentication Bypass by Primary Weakness (CWE-305) vulnerability in Crushftp Crushftp. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.5% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-2 (Identification and Authentication (Organizational Users)).

Deeper analysis

CrushFTP versions 10 before 10.8.4 and 11 before 11.3.1 contain an authentication bypass vulnerability in the HTTP component of the FTP server. The flaw stems from a race condition in the AWS4-HMAC authorization method, which is compatible with S3 storage. The server initially calls login_user_pass() without requiring a password to verify user existence, allowing session authentication via HMAC before a second verification check occurs. This can be stabilized by supplying a mangled AWS4-HMAC header containing only a username followed by a slash, which triggers anypass authentication while producing an index-out-of-bounds error that prevents session cleanup.

Unauthenticated remote attackers can exploit the issue over HTTP or HTTPS to impersonate any known or guessable account, including the crushadmin administrative user, unless a DMZ proxy instance is deployed. Successful exploitation grants full administrative control and can lead to complete system compromise. The vulnerability carries a CVSS score of 9.8 and was observed being exploited in the wild during March and April 2025.

Vendor guidance and public advisories direct administrators to upgrade immediately to CrushFTP 10.8.4 or 11.3.1. The references also note that the bypass is mitigated when a DMZ proxy configuration is already in place, and they provide additional context on detection and post-exploitation indicators.

The EPSS score has reached a peak of 0.9011 with a current value of 0.8894, reflecting sustained exploitation interest following disclosure.

EU & UK References

Vulnerability details

CrushFTP 10 before 10.8.4 and 11 before 11.3.1 allows authentication bypass and takeover of the crushadmin account (unless a DMZ proxy instance is used), as exploited in the wild in March and April 2025, aka "Unauthenticated HTTP(S) port access." A…

more

race condition exists in the AWS4-HMAC (compatible with S3) authorization method of the HTTP component of the FTP server. The server first verifies the existence of the user by performing a call to login_user_pass() with no password requirement. This will authenticate the session through the HMAC verification process and up until the server checks for user verification once more. The vulnerability can be further stabilized, eliminating the need for successfully triggering a race condition, by sending a mangled AWS4-HMAC header. By providing only the username and a following slash (/), the server will successfully find a username, which triggers the successful anypass authentication process, but the server will fail to find the expected SignedHeaders entry, resulting in an index-out-of-bounds error that stops the code from reaching the session cleanup. Together, these issues make it trivial to authenticate as any known or guessable user (e.g., crushadmin), and can lead to a full compromise of the system by obtaining an administrative account.

CWE(s)
KEV Date Added
07 April 2025

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

crushftp
crushftp
10.0.0 — 10.8.4 · 11.0.0 — 11.3.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces authenticated access decisions, blocking the unauthenticated HTTP(S) session takeover that bypasses login_user_pass() and anypass logic.

prevent

Requires valid identification and authentication before granting access to the crushadmin account, directly countering the AWS4-HMAC race condition and mangled-header bypass.

prevent

Boundary protection via a DMZ proxy instance explicitly blocks the unauthenticated HTTP(S) access path described in the CVE.

References