CISA Issues Urgent Alert on Active Exploitation of CrushFTP Authentication Bypass Flaw

CISA Alerts on Actively Exploited CrushFTP Authentication Bypass Vulnerability (CVE-2025-31161)

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a critical warning regarding a severe vulnerability in the widely used file transfer software, CrushFTP. The flaw, identified as CVE-2025-31161, poses a significant threat to organizations that rely on the platform for secure file sharing and transfer. This vulnerability, which has been confirmed as actively exploited in the wild, allows attackers to bypass authentication mechanisms and gain unauthorized access to systems, leading to full system compromise.

Active Exploitation and the Discovery of CVE-2025-31161

CVE-2025-31161 is a critical authentication bypass vulnerability discovered in CrushFTP, impacting versions prior to 10.8.4 and 11.3.1. The flaw allows unauthenticated attackers to bypass authentication, making it easier for them to impersonate legitimate users, including administrative accounts like “crushadmin.” This vulnerability is triggered due to a race condition in the AWS4-HMAC authorization method used by CrushFTP’s HTTP component, which allows attackers to manipulate the AWS4-HMAC header and authenticate as any user without needing to provide the correct credentials.

The vulnerability, which has been assigned a CVSS score of 9.8 (Critical), allows attackers to compromise the system fully and execute further malicious actions, making it a prime target for cybercriminals. It is believed that the flaw has been exploited in the wild since late March 2025, with attacks targeting systems across multiple sectors, including marketing, retail, and semiconductor industries.

CISA’s Warning and Urgency

Given the active exploitation of CVE-2025-31161, CISA has added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, emphasizing the immediate need for remediation. The U.S. government has been quick to highlight that federal agencies, businesses, and other organizations should prioritize patching affected systems. Federal Civilian Executive Branch (FCEB) agencies have been directed to apply patches by April 28, 2025, as part of Binding Operational Directive (BOD) 22-01, which mandates the timely patching of known exploited vulnerabilities.

Technical Details of the Vulnerability

The flaw exists due to a weak implementation in the way CrushFTP verifies user credentials during the login process. Specifically, the server first checks if the username exists without requiring a password, allowing attackers to inject a manipulated AWS4-HMAC header. This manipulation triggers the server’s authentication process incorrectly, bypassing security measures and granting the attacker unauthorized access.

Furthermore, the flaw allows attackers to persistently maintain access, as the server fails to clean up the session once the header is manipulated. This creates a backdoor for continued exploitation and leaves the system vulnerable indefinitely.

Impact of the Vulnerability

The vulnerability has severe consequences. By bypassing authentication, attackers can easily compromise sensitive data, take control of administrative accounts, and even execute further exploits within the compromised network. This presents a high risk to organizations that depend on CrushFTP for secure file transfer operations, especially in sectors dealing with sensitive information.

The flaw affects a large number of installations of CrushFTP. According to recent reports, over 815 unpatched instances of CrushFTP remain vulnerable to exploitation, with 487 of those located in North America and 250 in Europe. These figures highlight the widespread nature of the problem, making it an urgent priority for organizations to address.

Vulnerability Disclosure Controversy

The disclosure of CVE-2025-31161 has been surrounded by some controversy. Initially, the vulnerability was assigned CVE-2025-2825 by VulnCheck, another CVE Numbering Authority (CNA), before MITRE later reassigned the CVE identifier to CVE-2025-31161. This mix-up led to confusion in the cybersecurity community and delayed the public release of the vulnerability details. Furthermore, the VulnCheck identifier led to the flaw becoming widely known before the 90-day responsible disclosure period had concluded, potentially accelerating the exploitation of the flaw.

Despite the controversy, Outpost24, a cybersecurity company responsible for discovering the flaw, coordinated with CrushFTP to ensure that patches were released to address the vulnerability. However, with the flaw being widely publicized, exploitation efforts began soon after, further emphasizing the importance of timely updates and patching.

Exploitation in the Wild

Reports from cybersecurity firms, including Huntress, have confirmed active exploitation of the vulnerability. Huntress observed instances where attackers used the flaw to install legitimate remote desktop software such as AnyDesk and MeshAgent, along with malware such as the C++-based TgBot library. This suggests that threat actors are not just exploiting the flaw for unauthorized access, but are also deploying tools to maintain persistence and collect data from the compromised systems.

The exploitation timeline reveals that attacks have been active since at least April 3, 2025, with evidence suggesting that some breaches may have occurred as early as March 30. These early exploitation efforts primarily targeted managed service providers (MSPs), leading to compromises in multiple organizations at once. As of April 6, 2025, 815 unpatched instances were still vulnerable.

Mitigation and Recommendations

To mitigate the risk of CVE-2025-31161, CrushFTP users are strongly advised to update to the latest versions of the software. Specifically, CrushFTP users should upgrade to:

• CrushFTP 10.8.4 or later

• CrushFTP 11.3.1 or later

Additionally, users should implement best practices to safeguard against future vulnerabilities:

• Enable automated updates for CrushFTP, which can be configured by setting the “daily_check_and_auto_update_on_idle” flag.

• For organizations unable to immediately update to the latest versions, manually downloading and applying the patches is crucial.

• Enhanced security configurations, such as utilizing DMZ proxy instances, should also be considered for critical systems.

Conclusion

The active exploitation of CVE-2025-31161 underscores the growing sophistication of cyber threats targeting popular software platforms. Organizations using CrushFTP must act swiftly to apply patches and secure their systems against the risks posed by this vulnerability. As the cybersecurity landscape evolves, continuous monitoring, regular security audits, and proactive vulnerability management will be essential to defend against emerging threats like this.

The incident also serves as a reminder of the importance of coordinated, transparent disclosure processes to ensure vulnerabilities are patched before they are widely exploited. Organizations should take heed of this alert and apply necessary security measures to avoid being caught off-guard by future vulnerabilities.