CVE-2025-31161
Published: 03 April 2025
Summary
CVE-2025-31161 is a critical-severity Authentication Bypass by Primary Weakness (CWE-305) vulnerability in Crushftp Crushftp. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 0.5% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-2 (Identification and Authentication (Organizational Users)).
Deeper analysis
CrushFTP versions 10 before 10.8.4 and 11 before 11.3.1 contain an authentication bypass vulnerability in the HTTP component of the FTP server. The flaw stems from a race condition in the AWS4-HMAC authorization method, which is compatible with S3 storage. The server initially calls login_user_pass() without requiring a password to verify user existence, allowing session authentication via HMAC before a second verification check occurs. This can be stabilized by supplying a mangled AWS4-HMAC header containing only a username followed by a slash, which triggers anypass authentication while producing an index-out-of-bounds error that prevents session cleanup.
Unauthenticated remote attackers can exploit the issue over HTTP or HTTPS to impersonate any known or guessable account, including the crushadmin administrative user, unless a DMZ proxy instance is deployed. Successful exploitation grants full administrative control and can lead to complete system compromise. The vulnerability carries a CVSS score of 9.8 and was observed being exploited in the wild during March and April 2025.
Vendor guidance and public advisories direct administrators to upgrade immediately to CrushFTP 10.8.4 or 11.3.1. The references also note that the bypass is mitigated when a DMZ proxy configuration is already in place, and they provide additional context on detection and post-exploitation indicators.
The EPSS score has reached a peak of 0.9011 with a current value of 0.8894, reflecting sustained exploitation interest following disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-9910
Vulnerability details
CrushFTP 10 before 10.8.4 and 11 before 11.3.1 allows authentication bypass and takeover of the crushadmin account (unless a DMZ proxy instance is used), as exploited in the wild in March and April 2025, aka "Unauthenticated HTTP(S) port access." A…
more
race condition exists in the AWS4-HMAC (compatible with S3) authorization method of the HTTP component of the FTP server. The server first verifies the existence of the user by performing a call to login_user_pass() with no password requirement. This will authenticate the session through the HMAC verification process and up until the server checks for user verification once more. The vulnerability can be further stabilized, eliminating the need for successfully triggering a race condition, by sending a mangled AWS4-HMAC header. By providing only the username and a following slash (/), the server will successfully find a username, which triggers the successful anypass authentication process, but the server will fail to find the expected SignedHeaders entry, resulting in an index-out-of-bounds error that stops the code from reaching the session cleanup. Together, these issues make it trivial to authenticate as any known or guessable user (e.g., crushadmin), and can lead to a full compromise of the system by obtaining an administrative account.
- CWE(s)
- KEV Date Added
- 07 April 2025
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces authenticated access decisions, blocking the unauthenticated HTTP(S) session takeover that bypasses login_user_pass() and anypass logic.
Requires valid identification and authentication before granting access to the crushadmin account, directly countering the AWS4-HMAC race condition and mangled-header bypass.
Boundary protection via a DMZ proxy instance explicitly blocks the unauthenticated HTTP(S) access path described in the CVE.