CVE-2025-31161

Name of the Vulnerable Software and Affected Versions CrushFTP versions 10.0.0 through 10.8.3 and versions 11.0.0 through 11.3.0

Description CrushFTP is affected by an authentication bypass issue that allows attackers to take over the

crushadmin

account, unless a DMZ proxy instance is used. This vulnerability, exploited in the wild since March 2025, is due to a race condition in the AWS4-HMAC authorization method of the HTTP component. The server initially verifies user existence without requiring a password, authenticating the session through HMAC verification. A mangled AWS4-HMAC header, containing only a username and a forward slash (/), can bypass authentication, leading to a full system compromise. Attackers have been observed creating backdoor accounts and using tools like MeshCentral and AnyDesk for persistence. Approximately 815 servers were identified as vulnerable, impacting sectors including marketing, retail, and semiconductors. The vulnerability allows attackers to gain administrative access without valid credentials.

Recommendations Update CrushFTP to version 10.8.4 or later. Update CrushFTP to version 11.3.1 or later.