A serious security flaw in crushFTP was recently revealed, and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added it to its list of known security risks. This vulnerability allows hackers to bypass authentication and access vulnerability systems without needing a password, potentially letting them take control of the system. It affects versions before 10.8.4 and 11.3.1 and has been fixed in those updates.
The flaw is released to the HTTP authorization header, which allows attackers to log in as any user, including a common one like “crushadmin.” This could lead to a complete system compromise. The vulnerability has been assigned a critical-risk score (9.8 out of 10) and is listed as CVE-2025-31161. It was previously known as CVE-2025-2825, but that identifier has now been marked as invalid.
The issue started after confusion over the process of reporting a security flaw. VulnCheck, a CVE Numbering Authority, assigned an identifier (CVE-2025-2825) to the flaw to the vendor, clarified that they asked MITRE for a CVE number on March 13, 2025, and were working with CrushFTP to make sure the issue was fixed within 90 days.
However, MITRE only assigned the correct CVE number (CVE-2025-31161) on March 27, 2025. By that time, VulnCheck had already issued its own CVE without first checking with CrushFTP or outpost24 to see if the issue was already being handled responsibly.
The Swedish cybersecurity company released step-by-step instructions to trigger the exploit without sharing much technical specifics.
1. Generate a random session token that’s at least 31 characters long.
2. Set the cookie called CrushAuth with the token from step 1.
3. Set another cookie called CrushFTP with just the last four characters of the token from step 1.
4. Make a special request to the server with:
• The cookies from steps 2 and 3.
• An authorization header that includes a specific format: “AWS4HMAC=<username>/”, where <username> is the user you want to act as (like Crushadmin).
By doing this, the session you created will be recognized as if you are the user you selected, allowing you to perform actions they can do, like executing commands.
Huntress, a cybersecurity company, recreated a proof-of-concept for a security flaw (CVE-2025-31161) and reported that this flaw was being actively exploited on April 3, 2025. They also discovered additional malicious activity, including the use of a program called MeshCentral agent and other malware. It’s possible the attack started as early as March 30, 2025.
Huntress observed that four different companies were targeted, with three of them being hosted by the same managed service provider (MSP). While the names of the affected companies haven’t been shared, they operate in the marketing, retail, and semiconductor industries.
The attackers have been using their access to install legitimate remote desktop software like AnyDesk and MeshAgent. They’ve also been trying to steal login credentials in at least one case.
After installing MeshAgent, the attackers created a new non-admin user called “CrushUser” and delivered another file (“d3d11.dll”), which is a part of the open-source library TgBot. This suggests they might be using a telegram bot to gather data from infected computers.
As of April 6, 2025, there are 815 systems still vulnerable to this flaw, with 487 of them in North America and 250 in Europe. Because this is an ongoing threat, U.S. government agencies are required to apply the necessary security updates by April 28, 2025, to secure their networks.
