A critical vulnerability in CrushFTP, tracked as CVE-2025-31161, is currently being exploited in the wild, posing a significant threat to organizations using the affected versions of the software. The flaw, which has been assigned a CVSS score of 9.8, allows attackers to bypass authentication and take over the crushadmin account, unless a DMZ proxy instance is used. This vulnerability, known as "Unauthenticated HTTP(S) port access," is due to a race condition in the AWS4-HMAC authentication mechanism.
The vulnerability affects CrushFTP versions 10 before 10.8.4 and 11 before 11.3.1. It was publicly disclosed on April 3, 2025, and has been actively exploited since March 2025. The rapid exploitation of this flaw, within just four days of its disclosure, underscores the urgency for organizations to apply patches immediately. The vulnerability has been added to the Known Exploited Vulnerabilities (KEV) catalog by CISA on April 7, 2025, highlighting its critical nature and the known use of ransomware leveraging this flaw.
Proof-of-concept (PoC) exploits for CVE-2025-31161 are readily available, with at least 18 different PoCs circulating, increasing the risk of exploitation by a wide range of threat actors. The Exploit Prediction Scoring System (EPSS) has rated this vulnerability at 0.880, indicating a high likelihood of exploitation.
Organizations using CrushFTP should prioritize patching to mitigate the risk of unauthorized access and potential data breaches. The vendor has released updates to address this vulnerability, and it is crucial for administrators to upgrade to CrushFTP 10.8.4 or 11.3.1 or later. Additionally, implementing a DMZ proxy instance can provide an additional layer of protection against this specific attack vector.
Security teams should also monitor for any signs of compromise, such as unusual account activity or unauthorized access attempts, and ensure that their incident response plans are up to date. Given the active exploitation and the involvement of ransomware, a proactive approach to patch management and network monitoring is essential to safeguard against potential attacks.
CSURFACE