Is Your Server Safe from the Exploited CrushFTP Vulnerability?

Article Highlights
Off On

Recent developments in the cybersecurity field have thrust the CrushFTP vulnerability into the spotlight, with the U.S. Cybersecurity and Infrastructure Security Agency (CISA) adding it to its Known Exploited Vulnerabilities (KEV) catalog. This critical security flaw allows an unauthenticated attacker to take over susceptible CrushFTP instances, posing a significant threat to affected networks. With active exploitation of this vulnerability reported, it is crucial to understand how this flaw operates and what steps can be taken to mitigate the risks.

1. Exploiting the Authentication Bypass Vulnerability

The CrushFTP vulnerability, identified as CVE-2025-31161, is an authentication bypass issue in the HTTP authorization header. This flaw enables a remote unauthenticated attacker to authenticate to any known or guessable user account, such as “crushadmin.” The risk is so severe that it can potentially lead to a full system compromise. CISA’s advisory has highlighted the gravity of this vulnerability, giving it a CVSS score of 9.8 and marking its predecessor, CVE-2025-2825, as rejected on the CVE list.

The controversy surrounding the disclosure process of this vulnerability only adds to the complexity of the situation. Outpost24, the entity responsible for disclosing the flaw, requested a CVE number from MITRE and coordinated with CrushFTP to ensure fixes were rolled out within a 90-day disclosure period. However, confusion arose when VulnCheck assigned its identifier without contacting the concerned parties. This led to MITRE rejecting VulnCheck’s CVE-2024-2825 in favor of CVE-2025-31161, causing frustration and criticism within the cybersecurity community.

2. Recreating the Exploit

The exploit for the CrushFTP vulnerability involves a series of steps that manipulate session tokens and authorization headers. To execute this attack successfully, one must:

  1. Produce a random alphanumeric session token with at least 31 characters in length.
  2. Assign a cookie named CrushAuth to the token from step 1.
  3. Assign a cookie named currentAuth to the last 4 characters of the token from step 1.
  4. Make an HTTP GET request to the target /WebInterface/function/ including the cookies from steps 2 and 3, along with an Authorization header set to “AWS4-HMAC=/,” where is the user to be logged in as (e.g., crushadmin).

By following these steps, the generated session becomes authenticated as the chosen user, allowing the attacker to perform any actions permitted to that user. This capability underscores the dire need to address this vulnerability promptly.

3. Observed Exploitation in the Wild

Reports of in-the-wild exploitation of CVE-2025-31161 have surfaced, indicating that the vulnerability is being actively leveraged by malicious actors. On April 3, 2025, Huntress observed this exploitation, revealing further post-exploitation activities involving MeshCentral agents and other malware. Moreover, there is evidence suggesting that the compromise began as early as March 30. To date, exploitation efforts have targeted four distinct hosts from four different companies, with three of those affected being hosted by the same managed service provider (MSP). Although the names of the impacted companies have not been disclosed, they belong to the marketing, retail, and semiconductor sectors. The threat actors have utilized their access to install legitimate remote desktop software, such as AnyDesk and MeshAgent, and have taken steps to harvest credentials in at least one instance.

4. Mitigation Efforts and Remaining Risks

The ramifications of this vulnerability are far-reaching, with Huntress reporting that attackers have added non-admin users to local administrator groups and deployed additional malware components. One such component, the C++ binary “d3d11.dll,” implements an open-source library known as TgBot. The implication is that threat actors may be using a Telegram bot to collect telemetry from infected hosts. As of April 6, 2025, there remain 815 unpatched instances vulnerable to the CrushFTP exploit, with the majority located in North America and Europe. Given the active exploitation of this flaw, Federal Civilian Executive Branch (FCEB) agencies have been mandated to apply necessary patches by the end of April to secure their networks. The urgency of patching these systems cannot be overstated, as the risk of further exploitation persists.

Next Steps and Considerations

Recent advancements in the cybersecurity sector have brought the CrushFTP vulnerability into focus, with the U.S. Cybersecurity and Infrastructure Security Agency (CISA) identifying it in its Known Exploited Vulnerabilities (KEV) catalog. This severe security loophole permits an unauthenticated attacker to gain control over vulnerable CrushFTP instances, posing a substantial threat to the networks that use them. The active exploitation of this vulnerability underscores the urgent need to comprehend the mechanics of this flaw and implement measures to mitigate associated risks.

Understanding how this vulnerability works is crucial. The flaw can be exploited remotely without needing authentication, allowing attackers to execute arbitrary code, steal sensitive data, or cause outages within affected systems. Remediation steps involve updating CrushFTP to the latest secure version, ensuring robust firewall configurations, and employing continuous monitoring to detect any signs of compromise. By staying informed and proactive, organizations can fortify their defenses against such critical threats in today’s digital landscape.

Explore more

Can AI Redefine C-Suite Leadership with Digital Avatars?

I’m thrilled to sit down with Ling-Yi Tsai, a renowned HRTech expert with decades of experience in leveraging technology to drive organizational change. Ling-Yi specializes in HR analytics and the integration of cutting-edge tools across recruitment, onboarding, and talent management. Today, we’re diving into a groundbreaking development in the AI space: the creation of an AI avatar of a CEO,

Cash App Pools Feature – Review

Imagine planning a group vacation with friends, only to face the hassle of tracking who paid for what, chasing down contributions, and dealing with multiple payment apps. This common frustration in managing shared expenses highlights a growing need for seamless, inclusive financial tools in today’s digital landscape. Cash App, a prominent player in the peer-to-peer payment space, has introduced its

Scowtt AI Customer Acquisition – Review

In an era where businesses grapple with the challenge of turning vast amounts of data into actionable revenue, the role of AI in customer acquisition has never been more critical. Imagine a platform that not only deciphers complex first-party data but also transforms it into predictable conversions with minimal human intervention. Scowtt, an AI-native customer acquisition tool, emerges as a

Hightouch Secures Funding to Revolutionize AI Marketing

Imagine a world where every marketing campaign speaks directly to an individual customer, adapting in real time to their preferences, behaviors, and needs, with outcomes so precise that engagement rates soar beyond traditional benchmarks. This is no longer a distant dream but a tangible reality being shaped by advancements in AI-driven marketing technology. Hightouch, a trailblazer in data and AI

How Does Collibra’s Acquisition Boost Data Governance?

In an era where data underpins every strategic decision, enterprises grapple with a staggering reality: nearly 90% of their data remains unstructured, locked away as untapped potential in emails, videos, and documents, often dubbed “dark data.” This vast reservoir holds critical insights that could redefine competitive edges, yet its complexity has long hindered effective governance, making Collibra’s recent acquisition of