The Cybersecurity and Infrastructure Security Agency (CISA) has recently added a new vulnerability to its Known Exploited Vulnerabilities Catalog. The vulnerability, identified as CVE-2025-31161, is an Authentication Bypass Vulnerability in CrushFTP, a widely used FTP server software.
CVE-2025-31161 specifically affects versions of CrushFTP prior to 10.8.4 and 11.3.1, leaving users vulnerable to an authentication bypass attack. This flaw allows attackers to bypass authentication mechanisms and take over administrative accounts, such as the “crushadmin” account unless specific protective measures like a DMZ proxy instance are in place. The vulnerability is linked to a race condition in the AWS4-HMAC (compatible with S3) authorization method used by CrushFTP’s HTTP component.
The flaw allows attackers to authenticate as any user, including administrative accounts, without needing to provide the correct password. By exploiting the vulnerability, attackers can bypass standard authentication processes, making it trivial to compromise the system. This flaw not only facilitates unauthorized access but also allows for full system compromise, putting sensitive data and critical infrastructure at risk.
How Does CVE-2025-31161 Vulnerability Work?
The vulnerability arises from the way CrushFTP verifies user credentials during the login process. Specifically, the server first checks if a username exists without requiring a password, allowing the session to be authenticated through the HMAC verification process. However, the server fails to fully check the user’s credentials until later, creating a window of opportunity for an attacker to inject a manipulated AWS4-HMAC header.
This leads to an anypass authentication process, where the server mistakenly authenticates the attacker as a valid user. Furthermore, by manipulating the AWS4-HMAC header, the attacker can trigger an “index-out-of-bounds” error that prevents the session from being cleaned up, effectively allowing the attacker to retain access indefinitely. This combination of factors makes the flaw particularly dangerous and easy to exploit.
Impact and Severity of CVE-2025-31161
The vulnerability has been classified as critical, with a CVSS score of 9.8. This high severity rating indicates that the flaw poses a risk to organizations using affected versions of CrushFTP. The vulnerability is particularly concerning because it can lead to the full compromise of systems, including the ability to take over administrative accounts without proper authorization.
This flaw is not just a theoretical risk but has been actively exploited in the wild, making it important for users to take immediate action. If left unaddressed, the vulnerability could lead to data breaches, unauthorized access to sensitive files, and potential system outages.
Affected Versions and Mitigation
The following versions of CrushFTP are affected by the Authentication Bypass Vulnerability:
- CrushFTP 10.0.0 to 10.8.3
- CrushFTP 11.0.0 to 11.3.0
To mitigate the risk, users are strongly advised to update to the latest versions:
- CrushFTP 10.8.4 or later
- CrushFTP 11.3.1 or later
For those who have not yet updated, it is critical to do so as soon as possible to avoid exposure to this vulnerability. The update process is straightforward and can be done from the CrushFTP dashboard.
If direct updates are not possible, users can download the latest versions manually and apply the patches offline.
Conclusion
To enhance protection against vulnerabilities like CVE-2025-31161, users should not only update CrushFTP to the latest secure versions but also enable automated updates by setting the “daily_check_and_auto_update_on_idle” flag in the preferences XML file for v11.2.3_19+.
Additionally, configuring email reset URL domains and implementing extra security measures, such as a DMZ proxy, is highly recommended. Users on older versions like v10.6.1 or v10.5.5 must update immediately to avoid unauthorized access.
This vulnerability is not an isolated issue, as previous CrushFTP versions have also been targeted by flaws such as password reset exploits and XSS bugs, emphasizing the need for regular security patches.
