A recently disclosed critical security flaw affecting crushFTP has been added to its known Exploited Vulnerabilities (KEV) catalogue by the US Cybersecurity and Infrastructure Security Agency (CISA) after the emergence of reports of aggressive exploitation in the wild.
A vulnerability is a case of authentication bypassing, in which an unrecognized attacker can take over a susceptible instance. Fixed in versions 10.8.4 and 11.3.1.
“crushFTP includes an authentication bypass vulnerability for HTTP authentication headers that allows remote authenticated attackers to authenticate to known or inferable user accounts (such as crushadmin), potentially leading to a complete compromise,” CISA said in its advisory.
The drawback is assigned the CVE identifier CVE-2025-31161 (CVSS score: 9.8). Note that the same vulnerability was previously tracked as CVE-2025-2825. This is currently being rejected on the CVE list.
Development took place after the defect-related disclosure process was caught up in controversy and confusion, and Vulncheck is the CVE numbering authority (CNA), so he assigned an identifier (IE, CVE-2025-2825), but the actual CVE (i.e. CVE-2025-31161) was pending.
Outpost24, which is recognized as having responsibly disclosed the defects to the vendor, requested a CVE number from MITRE on March 13, 2025, making it clear that it is coordinating with CrushFTP so that the revisions are deployed within the 90-day disclosure period.
However, it was not until March 27th that Miter assigned the defect to CVE CVE-2025-31161. By then, Vulncheck had released his own CVE without checking in CrushFTP or Outpost24 whether a responsible disclosure process was already underway.
The Swedish cybersecurity company has released step-by-step instructions to trigger the exploit without sharing many of the technical details –
Generate a random alphanumeric session token with a minimum length of 31 characters Set the cookie to the last four characters of the value generated in step 1 of the cookie set called crushauth. crushadmin)
The ultimate result of these actions is that the session generated at initiation is authenticated as the selected user, allowing an attacker to execute commands that the user has rights to.
Huntress, who recreated the proof of concept for CVE-2025-31161, said that wild exploitation of CVE-2025-31161 was observed on April 3, 2025, revealing further post-excavation activity, including the use of measuring agents and other malware. There is some evidence to suggest that the compromise could have happened as early as March 30th.
The cybersecurity company said it had seen exploitation efforts targeting four different hosts of four different companies so far, adding that three of the affected individuals are hosted by the same managed service provider (MSP). The names of the affected companies have not been revealed, but they belong to the marketing, retail and semiconductor sectors.
Threat actors have been found to weaponize access to install legal remote desktop software such as AnyDesk and Meshagent, while also taking steps to harvest credentials in at least one example.
After deploying Meshagent, the attacker is said to have added a non-Admin user (“Crashuser”) to the local administrators group and distributed another C++ binary (“D3D11.DLL”), an implementation of the open source library TGBOT.
“TT is likely to be using telegram bots to collect telemetry from infected hosts,” Huntress researchers said.
As of April 6, 2025, 815 unearned instances were vulnerable to flaws, of which 487 were in North America and 250 in Europe. In light of active exploitation, a Federal Private Enforcement Division (FCEB) agency is required to apply the necessary patches and ensure the network by April 28th.
Source link
