KEVIntel
Back to KEVs
9.8
CVSS
Critical

CVE-2025-31161

PUBLISHED

CrushFTP 10 before 10.8.4 and 11 before 11.3.1 allows authentication bypass and takeover of the crushadmin account (unless a DMZ proxy instance is...

Exploited in the wild Used in malware PoC available Remote Low complexity No user interaction
Vendor
CrushFTP
Product
CrushFTP
Published
Apr 03, 2025
EPSS

Description

CrushFTP 10 before 10.8.4 and 11 before 11.3.1 allows authentication bypass and takeover of the crushadmin account (unless a DMZ proxy instance is used), as exploited in the wild in March and April 2025, aka "Unauthenticated HTTP(S) port access." A race condition exists in the AWS4-HMAC (compatible with S3) authorization method of the HTTP component of the FTP server. The server first verifies the existence of the user by performing a call to login_user_pass() with no password requirement. This will authenticate the session through the HMAC verification process and up until the server checks for user verification once more. The vulnerability can be further stabilized, eliminating the need for successfully triggering a race condition, by sending a mangled AWS4-HMAC header. By providing only the username and a following slash (/), the server will successfully find a username, which triggers the successful anypass authentication process, but the server will fail to find the expected SignedHeaders entry, resulting in an index-out-of-bounds error that stops the code from reaching the session cleanup. Together, these issues make it trivial to authenticate as any known or guessable user (e.g., crushadmin), and can lead to a full compromise of the system by obtaining an administrative account.

windows cisa malware ransomware nuclei_scanner nessus_scanner

CVSS scores

CVSS v3.1 9.8 Critical

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitation status

Exploited in the wild

Recorded 2025-04-07 00:00:00 UTC · Source

Used in malware

Recorded 2025-04-07 00:00:00 UTC · Source

Proof of concept available

Recorded 2025-04-08 15:37:28 UTC · Source

SSVC decision points

Exploitation
active
Automatable
Yes
Technical impact
total

References

Known exploited vulnerability sources

Catalogues that list this CVE as a known exploited vulnerability.

Source Added
CISA Apr 07, 2025

Scanner integrations

Scanner Reference Detected
Nessus https://www.tenable.com/plugins/nessus/233965 Jun 02, 2025
Nuclei https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2025/CVE-2025-31161.yaml Apr 25, 2025

Potential proof of concepts

These PoCs are unverified and could contain malware. Use at your own risk.

SUPRAAA-1337/CVE-2025-31161_exploit

github · Created 2025-04-24 22:09:24 UTC · 0 stars

CVE-2025-31161 python exploit

SUPRAAA-1337/Nuclei_CVE-2025-31161_CVE-2025-2825

github · Created 2025-04-24 10:25:26 UTC · 0 stars

Official Nuclei template for CVE-2025-31161 (formerly CVE-2025-2825)

TX-One/CVE-2025-31161

github · Created 2025-04-21 23:57:07 UTC · 1 stars

CrushFTP CVE-2025-31161 Exploit Tool 🔓

llussiess/CVE-2025-31161

github · Created 2025-04-09 14:38:42 UTC · 1 stars

Immersive-Labs-Sec/CVE-2025-31161

github · Created 2025-04-08 15:37:28 UTC · 5 stars

Proof of Concept for CVE-2025-31161 / CVE-2025-2825

Timeline

  • CVE ID Reserved

  • CVE Published to Public

  • Exploit Used in Malware

  • Added to KEVIntel

  • Proof of Concept Exploit Available

  • Detected by Nuclei

  • Detected by Nessus