CVE-2025-31161 Vulnerability in CrushFTP: A Critical Threat to Secure File Transfer Servers

CrushFTP vulnerability CVE-2025-31161 allows unauthenticated admin access via AWS4-HMAC header manipulation; affects versions 10.0.0–11.3.0 with active exploits on Windows, Linux, and cloud servers.

Overview

Last month, CVE-2025-31161 has proven to be one of the most critical security issues to surface, especially for organizations relying on CrushFTP for secure file transfers. This vulnerability, rated a CVSS 9.8, allows unauthenticated attackers to completely bypass login mechanisms and gain administrative control over vulnerable servers. Versions affected include CrushFTP 10.0.0 through 10.8.3, and 11.0.0 through 11.3.0. The attack vector involves manipulating AWS4-HMAC headers, specifically, using malformed inputs like crushadmin/, to bypass authentication checks.

Vulnerability Details

The issue is rooted in two core flaws within CrushFTP’s HTTP/S component, related to session verification and AWS4-HMAC header handling:

  • Race Condition in Session Verification:
    The server prematurely validates user sessions without re-checking credentials, making it susceptible to race conditions.

  • Index-out-of-Bounds Error with Malformed AWS4-HMAC Header:
    Sending a specially crafted AWS4-HMAC header (e.g., with a trailing slash like crushadmin/) triggers an index-out-of-bounds error that bypasses session clean-up, granting unauthorized access to the server.

Together, these flaws allow attackers to forge valid authentication cookies and gain access to the server without valid credentials, leading to significant security compromises, including unauthorized access to file systems and the potential installation of remote management tools or malware.

Exploitation Scenarios

  • Windows Environment:
    Attackers target Windows servers running vulnerable CrushFTP versions. Once they gain administrative access, they upload malware (e.g., mesch.exe for remote access and d3d11.dll for system manipulation) to the server. These files are then executed under SYSTEM privileges via the CrushFTP service, establishing persistence. Additionally, attackers create a local admin account (CrushUser) and harvest password hashes from the registry for further exploitation.

  • Linux Environment:
    In Linux systems (e.g., Ubuntu, RHEL), attackers exploit the same authentication bypass to upload ELF-format payloads (e.g., reverse shells and remote access agents). They modify system Start-up scripts (e.g., /etc/cron.d/, /etc/rc.local) to ensure the malware runs on reboot, escalating privileges to root and facilitating lateral movement or data exfiltration.

  • Cloud Environment:
    In cloud environments, attackers use the same exploitation chain to gain admin access and upload cloud-aware agents. These agents may be used to access cloud metadata services, gather sensitive data from S3 buckets, create backdoors in cloud instances, or deploy crypto-mining jobs.

Indicators of Compromise (IOCs)

  • Unexpected Administrator Accounts:
    Security teams may observe a new account named “CrushUser” in the local Administrators group (Windows) or sudoers file (Linux).

  • Unfamiliar Files in Temp Directories:
    Files such as C:WindowsTempmesch.exe (Windows) or /tmp/reverseshell (Linux) might appear unexpectedly.

  • Odd Process Creations:
    The appearance of unknown processes, such as mesch.exe or Java processes launching shell scripts or binaries, could indicate compromise.

  • Suspicious Network Traffic:
    Network logs may show abnormal outbound traffic, such as connections on uncommon ports (e.g., 3530, 4204) or large transfers to/from cloud services.

  • Anomalous CrushFTP Logs:
    Unusual entries in CrushFTP logs, such as requests containing malformed AWS4-HMAC headers or unusual CrushAuth cookie values, signal an exploitation attempt.

Active Exploitation
Reports from Huntress and Shadowserver indicate that the vulnerability is actively being exploited in the wild. At least 1,500 to 2,700 vulnerable CrushFTP servers are still exposed, with notable concentration in Germany (around 260 servers). Attackers have been observed dumping credentials from registry hives, deploying remote monitoring tools (e.g., AnyDesk, MeshCentral), and initiating ransomware attacks.

Background and Disclosure Issues
While Outpost24 responsibly followed a 90-day disclosure timeline, a third-party prematurely disclosed the issue (as CVE-2025-2825), potentially accelerating exploit development. This early disclosure may have allowed attackers to exploit the vulnerability before official patches were available.

Recommended Actions

  • Immediate Patch: Organizations using affected versions of CrushFTP (10.0.0 to 10.8.3, and 11.0.0 to 11.3.0) should immediately upgrade to a patched version of CrushFTP.

  • Temporary Workaround: Enable DMZ mode to isolate the server from direct internet access and reduce exposure to attacks.
  • Access Restrictions: Lock down external access to the CrushFTP admin interface, particularly to prevent unauthorized administrative login attempts.

  • Monitor for IOCs: Continuously monitor for signs of compromise, especially new administrator accounts or the presence of unexpected files and processes.

  • Federal Agencies: As mandated by CISA, all federal agencies must patch affected CrushFTP servers by April 28, 2025, under Binding Operational Directive 22-01.

Conclusion
The CVE-2025-31161 vulnerability in CrushFTP presents a serious risk to organizations that rely on secure file transfer services. It is critical for affected users to patch immediately and implement mitigating controls to avoid exploitation. Vigilant monitoring and quick response can help prevent further damage if systems are already compromised.

Share:

More Posts