- April 17, 2025
Critical Vulnerability in CrushFTP (CVE-2025-31161)
On March 21st, CrushFTP released an announcement that their file transfer software suite was affected by a critical HTTP authentication bypass vulnerability that could result in unauthorized access to sensitive data hosted on CrushFTP servers. The vulnerability was later identified as CVE-2025-31161 and affects CrushFTP versions 10.0.0 through 10.8.3 and 11.0.0 through 11.3.0.
Executive Summary
On March 21st, CrushFTP released an announcement that their file transfer software suite was affected by a critical HTTP authentication bypass vulnerability that could result in unauthorized access to sensitive data hosted on CrushFTP servers. The vulnerability was later identified as CVE-2025-31161 and affects CrushFTP versions 10.0.0 through 10.8.3 and 11.0.0 through 11.3.0.
The vulnerability exists due to a flaw in HTTP authentication header logic that allows an attacker to bypass normal authentication checks. If successfully exploited, remote attackers could gain unauthorized access to vulnerable CrushFTP servers exposed over HTTP(S). The vulnerability does not require prior access or valid credentials, making it dangerous for internet-facing servers.
The vulnerability was added to CISA’s known exploited vulnerabilities (KEV) catalog on April 7th due to reports of active exploitation in the wild. On April 9th, public proof-of-concept code was made available.
Beazley Security strongly recommends organizations immediately apply patches for affected CrushFTP products as there is active and ongoing exploitation of this issue.
Affected Systems or Products
This vulnerability affects Crush FTP versions 10.0.0 through 10.8.3 and 11.0.0 through 11.3.0.
Software Version | Affected | Unaffected |
CrushFTP 10 | 10.8.3 and prior | 10.8.4 |
CrushFTP 11 | 11.3.0 and prior | 11.3.1 |
Mitigations / Workarounds
CrushFTP has advised customers to immediately upgrade impacted versions of CrushFTP to version 10.8.4 or 11.3.1 and later.
Beazley Security Labs recommends affected organizations install the patch immediately as this vulnerability is actively being exploited by threat actors. Affected organizations should, at the very least, disable internet access to the vulnerable service.
If immediate patching is not an option, implementing CrushFTP’s DMZ perimeter network option can also mitigate the threat, according to the vulnerability section within their own advisory.
Given the active exploitation and severity of this vulnerability, affected organizations should verify the integrity of their data and apply security patches immediately. See the Indicators of Compromise section for guidance on artifacts to look for when reviewing systems for possible compromise.
Patches
CrushFTP has provided an update as of March 21st that reportedly fixes the vulnerability. The download has been made available on the CrushFTP website. Versions 10.8.4 and 11.3.1 are reportedly no longer vulnerable to this attack.
Additionally, CrushFTP support have provided update instructions on how to launch updates within the Server Admin section of their software:
Login to the dashboard using your "crushadmin" equivalent user in the WebInterface.
Click on the About tab.
Click Update > Update now.
Wait roughly five minutes for the files to download, unzip, and be copied in place. CrushFTP will auto restart once done.
Indicators of Compromise
CrushFTP has publicly released the below post-exploitation activity on compromised systems:
"custom jar files installed into CrushFTP so custom code is now running.
custom dll's being installed into system32 of windows...so the OS is running custom code
custom settings changes being made to windows configuration
additional random GUID style usernames being created
downloading of all files and certificates they can access
new admin usernames being created
disabling of existing admins
limiting of IPs that can do admin actions in order to create more problems for real admins
executing other processes to scan for more items on the network[TS1]"
Huntress has released post-exploitation observations on its blog, including detections that show the exploited CrushFTPService downloading and spawning AnyDesk for remote access. Simplehelp remote management software was observed on another vulnerable system.
File hashes of malicious DLLs observed were also provided by Huntress:
85a1bfebf2a5973ebecd6e5a58c8fab18edfead2c1680ec1e9cce902924c347e
f7c8be827f3bd98b30c5a8d23c1af77f3d0324a9ebcd90104134fc1971751ff7
be6cb5f80b33b9e97622d278a86a99e67b78ccab0b3e554b8430ae5969bcfc0e
Inside the home directory of the CrushFTP software is a file called CrushFTP.log, which may also be useful for hunting for signs of exploitation or unexpected activity, especially lines that include “Credential=crushadmin/” on vulnerable running versions of the software. According to Huntress, the log may also indicate signs of the STOR command uploading malicious files.
Technical Details
The vulnerability stems from improper handling of HTTP authorization headers within CrushFTPs’ authentication mechanism. Attackers can exploit a race condition that, if successful, bypasses authentication checks, allowing them to log in without valid credentials. Specifically, the race condition exists in the AWS4-HMAC-SHA256 authentication method on the FTP server.
According to a blog by Outpost24, the vulnerable service can be exploited by sending a ‘mangled’ AWS4-HMAC-256 header. The specifically formed request would need to include an Authorization header with a forged credential parameter followed by a forward slash (Credential=crushadmin/) and a CrushAuth cookie value containing a random 31-character string. Lastly, a currentAuth query parameterwould need to be set and contain the last four characters of the CrushAuth cookie.
A proof-of-concept example was also provided by Huntress:
GET /WebInterface/function/?command=getUserList&serverGroup=MainUsers&c2f=1111 HTTP/1.1 Cookie: CrushAuth=1111111111_111111111111111111111111111111111 Authorization: AWS4-HMAC-SHA256 Credential=crushadmin/ Connection: close
Due to a timing and logic flaw in how CrushFTP validates these parameters, the vulnerable service may accept the session as authenticated without ever validating credentials if a known username is leveraged, such as the default crushadmin account.
How Beazley Security is responding
Beazley Security is monitoring client perimeter devices through our Karma product to identify impacted devices and support organizations in remediation of any issues found.
We are also conducting threat hunts across our MDR environment to detect potential exploitation attempts against our clients.