CVE-2025-31161: CWE-305 Authentication Bypass by Primary Weakness in CrushFTP CrushFTP
CrushFTP 10 before 10.8.4 and 11 before 11.3.1 allows authentication bypass and takeover of the crushadmin account (unless a DMZ proxy instance is used), as exploited in the wild in March and April 2025, aka "Unauthenticated HTTP(S) port access." A race condition exists in the AWS4-HMAC (compatible with S3) authorization method of the HTTP component of the FTP server. The server first verifies the existence of the user by performing a call to login_user_pass() with no password requirement. This will authenticate the session through the HMAC verification process and up until the server checks for user verification once more. The vulnerability can be further stabilized, eliminating the need for successfully triggering a race condition, by sending a mangled AWS4-HMAC header. By providing only the username and a following slash (/), the server will successfully find a username, which triggers the successful anypass authentication process, but the server will fail to find the expected SignedHeaders entry, resulting in an index-out-of-bounds error that stops the code from reaching the session cleanup. Together, these issues make it trivial to authenticate as any known or guessable user (e.g., crushadmin), and can lead to a full compromise of the system by obtaining an administrative account.
AI Analysis
Technical Summary
CVE-2025-31161 is a critical authentication bypass vulnerability affecting CrushFTP versions 10 prior to 10.8.4 and 11 prior to 11.3.1. CrushFTP is a file transfer server supporting FTP and HTTP(S) protocols, widely used for secure file sharing and transfer. The vulnerability stems from a race condition and logic flaw in the AWS4-HMAC authorization method implementation within the HTTP component of the server. Specifically, the server first verifies user existence by calling login_user_pass() without requiring a password, relying solely on HMAC verification. However, this verification is incomplete and followed by a second user verification step. An attacker can exploit this race condition to bypass authentication entirely. Furthermore, by sending a malformed AWS4-HMAC header containing only a username followed by a slash ("/"), the server triggers an index-out-of-bounds error due to a missing SignedHeaders entry. This error prevents the server from executing session cleanup code, effectively stabilizing the bypass without needing to trigger the race condition. As a result, an attacker can authenticate as any known or guessable user, including the highly privileged "crushadmin" account. This leads to full system compromise with administrative control over the CrushFTP server. The vulnerability is exploitable remotely over the network without authentication or user interaction, and no mitigations such as DMZ proxy instances are effective unless specifically configured. The CVSS v3.1 base score is 9.8 (critical), reflecting the ease of exploitation and the severe impact on confidentiality, integrity, and availability. Although no official patches were listed at the time of reporting, the vendor has released fixed versions 10.8.4 and 11.3.1 to address this issue. This vulnerability was actively exploited in the wild during March and April 2025, underscoring its criticality and the urgency of remediation.
Potential Impact
For European organizations, this vulnerability poses a significant risk due to the potential for complete compromise of file transfer infrastructure. CrushFTP servers often handle sensitive data transfers, including personal data protected under GDPR, intellectual property, and critical business documents. Exploitation can lead to unauthorized data access, data exfiltration, and manipulation, violating confidentiality and integrity. Additionally, attackers gaining administrative control can disrupt services, delete or alter files, and use the compromised server as a foothold for lateral movement within corporate networks, impacting availability and operational continuity. Sectors such as finance, healthcare, manufacturing, and government agencies in Europe that rely on CrushFTP for secure file transfers are particularly vulnerable. The breach of personal data could result in regulatory penalties and reputational damage. The lack of authentication and user interaction requirements makes this vulnerability highly exploitable, increasing the likelihood of widespread attacks. Given the active exploitation observed, European organizations face an immediate threat that could lead to severe operational and compliance consequences.
Mitigation Recommendations
1. Immediate upgrade to CrushFTP versions 10.8.4 or 11.3.1 or later, which contain fixes for this vulnerability, is the most effective mitigation. 2. If upgrading is not immediately feasible, restrict network access to CrushFTP servers by implementing strict firewall rules limiting inbound connections to trusted IP addresses and internal networks only. 3. Deploy a properly configured DMZ proxy instance as a temporary mitigation, ensuring it effectively filters and validates AWS4-HMAC headers to prevent malformed requests from reaching the server. 4. Monitor server logs for unusual authentication attempts, especially those involving malformed AWS4-HMAC headers or repeated login attempts without passwords. 5. Implement network intrusion detection/prevention systems (IDS/IPS) with signatures targeting this vulnerability’s exploitation patterns. 6. Conduct thorough audits of CrushFTP server accounts and permissions to identify and disable any unnecessary or default administrative accounts like "crushadmin." 7. Enforce multi-factor authentication (MFA) on administrative interfaces where possible to add an additional layer of security. 8. Regularly back up critical data and configurations to enable recovery in case of compromise. 9. Educate IT and security teams about this specific vulnerability and its exploitation techniques to improve incident response readiness.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Sweden, Belgium, Poland, Switzerland
CVE-2025-31161: CWE-305 Authentication Bypass by Primary Weakness in CrushFTP CrushFTP
Description
CrushFTP 10 before 10.8.4 and 11 before 11.3.1 allows authentication bypass and takeover of the crushadmin account (unless a DMZ proxy instance is used), as exploited in the wild in March and April 2025, aka "Unauthenticated HTTP(S) port access." A race condition exists in the AWS4-HMAC (compatible with S3) authorization method of the HTTP component of the FTP server. The server first verifies the existence of the user by performing a call to login_user_pass() with no password requirement. This will authenticate the session through the HMAC verification process and up until the server checks for user verification once more. The vulnerability can be further stabilized, eliminating the need for successfully triggering a race condition, by sending a mangled AWS4-HMAC header. By providing only the username and a following slash (/), the server will successfully find a username, which triggers the successful anypass authentication process, but the server will fail to find the expected SignedHeaders entry, resulting in an index-out-of-bounds error that stops the code from reaching the session cleanup. Together, these issues make it trivial to authenticate as any known or guessable user (e.g., crushadmin), and can lead to a full compromise of the system by obtaining an administrative account.
AI-Powered Analysis
Technical Analysis
CVE-2025-31161 is a critical authentication bypass vulnerability affecting CrushFTP versions 10 prior to 10.8.4 and 11 prior to 11.3.1. CrushFTP is a file transfer server supporting FTP and HTTP(S) protocols, widely used for secure file sharing and transfer. The vulnerability stems from a race condition and logic flaw in the AWS4-HMAC authorization method implementation within the HTTP component of the server. Specifically, the server first verifies user existence by calling login_user_pass() without requiring a password, relying solely on HMAC verification. However, this verification is incomplete and followed by a second user verification step. An attacker can exploit this race condition to bypass authentication entirely. Furthermore, by sending a malformed AWS4-HMAC header containing only a username followed by a slash ("/"), the server triggers an index-out-of-bounds error due to a missing SignedHeaders entry. This error prevents the server from executing session cleanup code, effectively stabilizing the bypass without needing to trigger the race condition. As a result, an attacker can authenticate as any known or guessable user, including the highly privileged "crushadmin" account. This leads to full system compromise with administrative control over the CrushFTP server. The vulnerability is exploitable remotely over the network without authentication or user interaction, and no mitigations such as DMZ proxy instances are effective unless specifically configured. The CVSS v3.1 base score is 9.8 (critical), reflecting the ease of exploitation and the severe impact on confidentiality, integrity, and availability. Although no official patches were listed at the time of reporting, the vendor has released fixed versions 10.8.4 and 11.3.1 to address this issue. This vulnerability was actively exploited in the wild during March and April 2025, underscoring its criticality and the urgency of remediation.
Potential Impact
For European organizations, this vulnerability poses a significant risk due to the potential for complete compromise of file transfer infrastructure. CrushFTP servers often handle sensitive data transfers, including personal data protected under GDPR, intellectual property, and critical business documents. Exploitation can lead to unauthorized data access, data exfiltration, and manipulation, violating confidentiality and integrity. Additionally, attackers gaining administrative control can disrupt services, delete or alter files, and use the compromised server as a foothold for lateral movement within corporate networks, impacting availability and operational continuity. Sectors such as finance, healthcare, manufacturing, and government agencies in Europe that rely on CrushFTP for secure file transfers are particularly vulnerable. The breach of personal data could result in regulatory penalties and reputational damage. The lack of authentication and user interaction requirements makes this vulnerability highly exploitable, increasing the likelihood of widespread attacks. Given the active exploitation observed, European organizations face an immediate threat that could lead to severe operational and compliance consequences.
Mitigation Recommendations
1. Immediate upgrade to CrushFTP versions 10.8.4 or 11.3.1 or later, which contain fixes for this vulnerability, is the most effective mitigation. 2. If upgrading is not immediately feasible, restrict network access to CrushFTP servers by implementing strict firewall rules limiting inbound connections to trusted IP addresses and internal networks only. 3. Deploy a properly configured DMZ proxy instance as a temporary mitigation, ensuring it effectively filters and validates AWS4-HMAC headers to prevent malformed requests from reaching the server. 4. Monitor server logs for unusual authentication attempts, especially those involving malformed AWS4-HMAC headers or repeated login attempts without passwords. 5. Implement network intrusion detection/prevention systems (IDS/IPS) with signatures targeting this vulnerability’s exploitation patterns. 6. Conduct thorough audits of CrushFTP server accounts and permissions to identify and disable any unnecessary or default administrative accounts like "crushadmin." 7. Enforce multi-factor authentication (MFA) on administrative interfaces where possible to add an additional layer of security. 8. Regularly back up critical data and configurations to enable recovery in case of compromise. 9. Educate IT and security teams about this specific vulnerability and its exploitation techniques to improve incident response readiness.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- mitre
- Date Reserved
- 2025-03-27T00:00:00.000Z
- Cisa Enriched
- true
Threat ID: 682d984bc4522896dcbf7d37
Added to database: 5/21/2025, 9:09:31 AM
Last enriched: 6/21/2025, 2:22:05 PM
Last updated: 8/16/2025, 6:14:08 AM
Views: 38
Related Threats
CVE-2025-41242: Vulnerability in VMware Spring Framework
MediumCVE-2025-47206: CWE-787 in QNAP Systems Inc. File Station 5
HighCVE-2025-5296: CWE-59 Improper Link Resolution Before File Access ('Link Following') in Schneider Electric SESU
HighCVE-2025-6625: CWE-20 Improper Input Validation in Schneider Electric Modicon M340
HighCVE-2025-57703: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Delta Electronics DIAEnergie
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.