CVE-2025-31161

Name of the Vulnerable Software and Affected Versions CrushFTP versions 10.0.0 through 10.8.3 CrushFTP versions 11.0.0 through 11.3.0

Description An authentication bypass exists in the HTTP component of the FTP server within the AWS4-HMAC (S3 compatible) authorization method. The issue stems from a race condition where the server verifies user existence via the login user pass() function without requiring a password, which can authenticate a session before user verification is re-checked. This can be further stabilized by sending a mangled AWS4-HMAC header containing only a username and a slash (/); this triggers an anypass authentication process but causes an index-out-of-bounds error when the server fails to find the SignedHeaders entry, preventing session cleanup. These flaws allow remote attackers to authenticate as any known or guessable user, such as crushadmin, leading to full system compromise and administrative access. The issue has been actively exploited since March 30, 2025, affecting sectors including retail, marketing, and semiconductors, with approximately 130,000 instances estimated to be exposed online. Observed attacks involved creating backdoor administrative accounts using the setUserItem function and deploying malware such as MeshCentral, AnyDesk, and Telegram-linked DLLs for persistence.

Recommendations Update CrushFTP version 10 to 10.8.4. Update CrushFTP version 11 to 11.3.1. Use a DMZ proxy instance as a temporary buffer to mitigate the risk of authentication bypass.