Is Your Server Safe from the Exploited CrushFTP Vulnerability?

Recent developments in the cybersecurity field have thrust the CrushFTP vulnerability into the spotlight, with the U.S. Cybersecurity and Infrastructure Security Agency (CISA) adding it to its Known Exploited Vulnerabilities (KEV) catalog. This critical security flaw allows an unauthenticated attacker to take over susceptible CrushFTP instances, posing a significant threat to affected networks. With active exploitation of this vulnerability reported, it is crucial to understand how this flaw operates and what steps can be taken to mitigate the risks.

1. Exploiting the Authentication Bypass Vulnerability

The CrushFTP vulnerability, identified as CVE-2025-31161, is an authentication bypass issue in the HTTP authorization header. This flaw enables a remote unauthenticated attacker to authenticate to any known or guessable user account, such as “crushadmin.” The risk is so severe that it can potentially lead to a full system compromise. CISA’s advisory has highlighted the gravity of this vulnerability, giving it a CVSS score of 9.8 and marking its predecessor, CVE-2025-2825, as rejected on the CVE list.

The controversy surrounding the disclosure process of this vulnerability only adds to the complexity of the situation. Outpost24, the entity responsible for disclosing the flaw, requested a CVE number from MITRE and coordinated with CrushFTP to ensure fixes were rolled out within a 90-day disclosure period. However, confusion arose when VulnCheck assigned its identifier without contacting the concerned parties. This led to MITRE rejecting VulnCheck’s CVE-2024-2825 in favor of CVE-2025-31161, causing frustration and criticism within the cybersecurity community.

2. Recreating the Exploit

The exploit for the CrushFTP vulnerability involves a series of steps that manipulate session tokens and authorization headers. To execute this attack successfully, one must:

1. Produce a random alphanumeric session token with at least 31 characters in length.
2. Assign a cookie named CrushAuth to the token from step 1.
3. Assign a cookie named currentAuth to the last 4 characters of the token from step 1.
4. Make an HTTP GET request to the target /WebInterface/function/ including the cookies from steps 2 and 3, along with an Authorization header set to “AWS4-HMAC=/,” where is the user to be logged in as (e.g., crushadmin).

By following these steps, the generated session becomes authenticated as the chosen user, allowing the attacker to perform any actions permitted to that user. This capability underscores the dire need to address this vulnerability promptly.

3. Observed Exploitation in the Wild

Reports of in-the-wild exploitation of CVE-2025-31161 have surfaced, indicating that the vulnerability is being actively leveraged by malicious actors. On April 3, 2025, Huntress observed this exploitation, revealing further post-exploitation activities involving MeshCentral agents and other malware. Moreover, there is evidence suggesting that the compromise began as early as March 30. To date, exploitation efforts have targeted four distinct hosts from four different companies, with three of those affected being hosted by the same managed service provider (MSP). Although the names of the impacted companies have not been disclosed, they belong to the marketing, retail, and semiconductor sectors. The threat actors have utilized their access to install legitimate remote desktop software, such as AnyDesk and MeshAgent, and have taken steps to harvest credentials in at least one instance.

4. Mitigation Efforts and Remaining Risks

The ramifications of this vulnerability are far-reaching, with Huntress reporting that attackers have added non-admin users to local administrator groups and deployed additional malware components. One such component, the C++ binary “d3d11.dll,” implements an open-source library known as TgBot. The implication is that threat actors may be using a Telegram bot to collect telemetry from infected hosts. As of April 6, 2025, there remain 815 unpatched instances vulnerable to the CrushFTP exploit, with the majority located in North America and Europe. Given the active exploitation of this flaw, Federal Civilian Executive Branch (FCEB) agencies have been mandated to apply necessary patches by the end of April to secure their networks. The urgency of patching these systems cannot be overstated, as the risk of further exploitation persists.

Next Steps and Considerations

Recent advancements in the cybersecurity sector have brought the CrushFTP vulnerability into focus, with the U.S. Cybersecurity and Infrastructure Security Agency (CISA) identifying it in its Known Exploited Vulnerabilities (KEV) catalog. This severe security loophole permits an unauthenticated attacker to gain control over vulnerable CrushFTP instances, posing a substantial threat to the networks that use them. The active exploitation of this vulnerability underscores the urgent need to comprehend the mechanics of this flaw and implement measures to mitigate associated risks.

Understanding how this vulnerability works is crucial. The flaw can be exploited remotely without needing authentication, allowing attackers to execute arbitrary code, steal sensitive data, or cause outages within affected systems. Remediation steps involve updating CrushFTP to the latest secure version, ensuring robust firewall configurations, and employing continuous monitoring to detect any signs of compromise. By staying informed and proactive, organizations can fortify their defenses against such critical threats in today’s digital landscape.