CVE-2025-31161

What is CrushFTP?

CrushFTP is a cross-platform enterprise managed file transfer (MFT) server supporting SFTP, FTP, FTPS, HTTPS, WebDAV, and other protocols. It is used by organizations in regulated industries for secure, auditable file transfers with business partners and clients. CrushFTP has been targeted by multiple critical vulnerabilities in a short period, making it a recurring high-priority target. Because CrushFTP handles sensitive business documents and is often internet-accessible, compromising it provides direct access to transferred files and a foothold in the corporate network. CrushFTP has built-in S3-compatible storage APIs used by some deployments.

Overview

CVE-2025-31161 is a critical authentication bypass vulnerability (CWE-305) in CrushFTP that allows an unauthenticated remote attacker to authenticate as any known or guessable user — including the built-in crushadmin superuser — by exploiting a flaw in how CrushFTP processes the HTTP Authorization header. No valid password is required. Successful exploitation gives the attacker full access to the CrushFTP instance as the targeted user, including all stored files, configuration, and administrative functions. Ransomware operators (including the Fog ransomware group) exploited this in attacks, and CISA flagged ransomwareUse: true.

Affected Versions

Technical Details

The vulnerability (CWE-305: Authentication Bypass by Spoofing) is in CrushFTP's handling of the HTTP Authorization header. CrushFTP supports S3-compatible API access, which uses AWS-style Authorization headers of the form:

Authorization: AWS4-HMAC-SHA256 Credential=<username>/<date>/<region>/<service>/aws4_request, ...

CrushFTP's authentication logic improperly trusts the username component of this header without fully validating the associated HMAC signature or cross-checking it against a valid session. An attacker can craft an Authorization header claiming to be any known user (e.g., crushadmin) and send it in an HTTP request to CrushFTP. The server grants access as that user without verifying the cryptographic signature or password.

This gives the attacker full access to the CrushFTP web interface and all administrative functions at the privilege level of the targeted user account.

Discovery

Discovered by security researchers at Outpost24 (also credited to their research team). CrushFTP patched the issue on April 1, 2025; the CVE was published April 3.

Exploitation Context

Active exploitation confirmed; CISA added CVE-2025-31161 to the KEV catalog on 7 April 2025 with ransomwareUse: true. Fog ransomware operators exploited this vulnerability to gain initial access to CrushFTP servers and deploy ransomware against enterprise targets. The fast exploitation (CISA added it 4 days after CVE publication) indicates criminal actors were targeting CrushFTP deployments aggressively. This is the second major CrushFTP vulnerability in 2025 after CVE-2025-54309 (AS2 bypass, July 2025), further highlighting the product as a persistent target.

Remediation

1. Upgrade CrushFTP to 10.8.4+ (version 10) or 11.3.1+ (version 11) immediately.
2. As a temporary mitigation (if upgrade is not immediately possible): restrict access to the CrushFTP web interface to trusted IP ranges using CrushFTP's built-in IP allowlisting.
3. Check for unauthorized logins: review CrushFTP access logs for requests containing AWS4-HMAC-SHA256 Authorization headers from unexpected sources, particularly before April 1, 2025.
4. Review all stored files for unauthorized access or exfiltration; CrushFTP audit logs show file transfer history.
5. Rotate all CrushFTP user passwords and administrator credentials as a precaution.
6. Enable CrushFTP's DMZ proxy feature for additional network isolation of the file transfer service.