A recently disclosed critical security flaw impacting CrushFTP has been added by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to its Known Exploited Vulnerabilities (KEV) catalog after reports emerged of active exploitation in the wild.
The vulnerability is a case of authentication bypass that could permit an unauthenticated attacker to take over susceptible instances. It has been fixed in versions 10.8.4 and 11.3.1.
“CrushFTP contains an authentication bypass vulnerability in the HTTP authorization header that allows a remote unauthenticated attacker to authenticate to any known or guessable user account (e.g., crushadmin), potentially leading to a full compromise,” CISA said in an advisory.
The shortcoming has been assigned the CVE identifier CVE-2025-31161 (CVSS score: 9.8). It bears noting that the same vulnerability was previously tracked as CVE-2025-2825, which has now been marked Rejected in the CVE list.
The development comes after the disclosure process associated with the flaw has been entangled in controversy and confusion, with VulnCheck – due to it being a CVE Numbering Authority (CNA) – assigned an identifier (i.e., CVE-2025-2825), while the actual CVE (i.e., CVE-2025-31161) had been pending.
Outpost24, which is credited with responsibly disclosing the flaw to the vendor, has stepped in to clarify that it requested a CVE number from MITRE on March 13, 2025, and that it was coordinating with CrushFTP to ensure that the fixes were rolled out within a 90-day disclosure period.
However, it wasn’t until March 27 that MITRE assigned the flaw the CVE CVE-2025-31161, by which time VulnCheck had released a CVE of its own without contacting “CrushFTP or Outpost24 beforehand to see if a responsible disclosure process was already underway.”
The Swedish cybersecurity company has since released step-by-step instructions to trigger the exploit without sharing much of the technical specifics –
- Generate a random alphanumeric session token of a minimum 31 characters of length
- Set a cookie called CrushAuth to the value generated in step 1
- Set a cookie called currentAuth to the last 4 characters of the value generated in step 1
- Perform an HTTP GET request to the target /WebInterface/function/ with the cookies from steps 2 and 3, as well as an Authorization header set to “AWS4-HMAC=
/,” where is the user to be signed in as (e.g., crushadmin)
A net result of these actions is that the session generated at the start gets authenticated as the chosen user, allowing an attacker to execute any commands that user has rights to.
Huntress, which re-created a proof-of-concept for CVE-2025-31161, said it observed in-the-wild exploitation of CVE-2025-31161 on April 3, 2025, and that it uncovered further post-exploitation activity involving the use of MeshCentral agent and other malware. There is some evidence to suggest that the compromise may have happened as early as March 30.
The cybersecurity firm said it has seen exploitation efforts targeting four distinct hosts from four different companies to date, adding three of those affected were hosted by the same managed service provider (MSP). The names of the impacted companies were not disclosed, but they belong to marketing, retail, and semiconductor sectors.
The threat actors have been found to weaponize the access to install legitimate remote desktop software such as AnyDesk and MeshAgent, while also taking steps to harvest credentials in at least one instance.
After deploying MeshAgent, the attackers are said to have added a non-admin user (“CrushUser”) to the local administrators group and delivered another C++ binary (“d3d11.dll”), an implementation of the open-source library TgBot.
“Tt is likely that the threat actors are making use of a Telegram bot to collect telemetry from infected hosts,” Huntress researchers said.
As of April 6, 2025, there are 815 unpatched instances vulnerable to the flaw, with 487 of them located in North America and 250 in Europe. In light of active exploitation, Federal Civilian Executive Branch (FCEB) agencies are required to apply the necessary patches by April 28 to secure their networks.
