Safeguard.sh
Vulnerability Analysis

CrushFTP CVE-2025-31161: Authentication Bypass Exploited in the Wild

A critical authentication bypass in CrushFTP allowed unauthenticated access to file transfer servers. Exploitation was observed within days of disclosure, targeting multiple industries.

Bob
Principal Security Researcher
5 min read

On April 7, 2025, CrushFTP disclosed CVE-2025-31161, a critical authentication bypass vulnerability affecting CrushFTP versions 10 and 11 prior to 10.8.4 and 11.3.1 respectively. The flaw allowed unauthenticated remote attackers to gain access to CrushFTP servers, including the ability to authenticate as any user, including administrators.

Exploitation was confirmed in the wild shortly after disclosure, with Shadowserver Foundation reporting hundreds of exposed instances being targeted. The vulnerability was added to CISA's Known Exploited Vulnerabilities (KEV) catalog.

The Vulnerability

CVE-2025-31161 was an authentication bypass caused by a race condition in the CrushFTP HTTP authentication mechanism. The flaw existed in how CrushFTP's S3-compatible API handled authentication headers.

By sending a crafted HTTP request with a specific Authorization header format, an attacker could exploit a race condition in the authentication process. The server would create an authenticated session before completing the full authentication verification, and by timing a subsequent request to use that session token, the attacker could gain access as any user on the system.

The exploit was reliable and did not require sophisticated timing. Within days of the vulnerability becoming public, working exploit code was available, and automated scanning was observed.

File Transfer Servers: The Recurring Target

CrushFTP is the latest in a long line of managed file transfer (MFT) products targeted by attackers. The pattern over the past few years has been striking:

  • MOVEit Transfer (CVE-2023-34362): SQL injection exploited by the Cl0p ransomware group in May 2023, affecting thousands of organizations.
  • GoAnywhere MFT (CVE-2023-0669): Pre-authentication command injection exploited by Cl0p in January 2023.
  • Accellion FTA (CVE-2021-27101): SQL injection exploited by Cl0p in December 2020.
  • CrushFTP (CVE-2024-4040): Server-side template injection exploited in April 2024.

File transfer servers are attractive targets for several reasons. They are internet-facing by design, they handle sensitive data, they often run with high privileges, and they are widely deployed across healthcare, finance, government, and other sectors that handle regulated data.

The Cl0p group in particular has made MFT exploitation a specialty, using zero-day vulnerabilities in these products for mass data theft and extortion. While CVE-2025-31161 was not initially attributed to Cl0p, the targeting pattern was consistent with MFT-focused threat actors.

Impact

The consequences of exploitation were severe:

Full server access. By authenticating as an administrator, an attacker gained complete control over the CrushFTP server, including the ability to read, write, and delete files.

Data exfiltration. CrushFTP servers typically store and transfer sensitive business data. Compromised servers could be used to steal files without triggering file access alerts if the attacker used legitimate administrative channels.

Lateral movement. CrushFTP servers often have network access to internal systems for file distribution. A compromised server could serve as a pivot point into the organization's internal network.

Credential harvesting. CrushFTP stores user credentials and may integrate with Active Directory or LDAP. Compromising the server could yield credentials useful for further attacks.

The Disclosure Controversy

CVE-2025-31161 was subject to a disclosure dispute. The vulnerability was initially reported and assigned a CVE through one CNA (CVE Numbering Authority), but CrushFTP disputed the timeline, arguing that premature disclosure gave attackers too much information before a patch was widely deployed.

This type of dispute is unfortunately common. Vendors prefer coordinated disclosure timelines that give them maximum time to develop and distribute patches. Researchers and CNAs argue that defenders need timely information to protect themselves. The tension is real and there is no universally correct answer.

What is clear is that once details of CVE-2025-31161 became public, exploitation began rapidly. The argument over disclosure timing, while important, is secondary to the practical reality that organizations running CrushFTP needed to patch immediately.

Remediation

CrushFTP's remediation guidance was straightforward:

  1. Update to CrushFTP 10.8.4 or 11.3.1 (or later versions).
  2. If patching is not immediately possible, enable the DMZ proxy feature, which adds a layer of indirection that prevents direct exploitation of the authentication bypass.
  3. Review server access logs for signs of unauthorized authentication, particularly sessions created for administrative users from unexpected source IPs.
  4. Audit file access logs for unusual data access patterns that could indicate exfiltration.
  5. Rotate all credentials stored on or processed by the CrushFTP server, including local user accounts and any LDAP/AD service account credentials.

Broader Recommendations for MFT Security

Given the pattern of MFT exploitation, organizations should take a strategic approach to securing these systems:

Treat MFT servers as high-value targets. They handle sensitive data and are internet-facing. Apply the same security rigor you would to a payment processing system or domain controller.

Minimize internet exposure. Use IP allowlisting, VPN-only access, or network-level controls to restrict who can reach the MFT server. Not every file transfer partner needs to access the server from an arbitrary IP address.

Implement network segmentation. The MFT server should be in a DMZ with restricted access to internal networks. File distribution to internal systems should use a pull model (internal systems fetch files) rather than a push model (MFT server has broad internal access).

Monitor for zero-days. Subscribe to vendor security advisories and CISA KEV updates. When a new MFT vulnerability is disclosed, assume exploitation is imminent and patch within hours, not days.

How Safeguard.sh Helps

Safeguard.sh provides continuous vulnerability monitoring that covers your entire software deployment, including file transfer infrastructure. When vulnerabilities like CVE-2025-31161 are disclosed and added to the CISA KEV catalog, Safeguard alerts you immediately if the affected software is present in your tracked environment.

Safeguard's SBOM-driven approach ensures that your file transfer servers are included in your vulnerability management program, not overlooked as "infrastructure" that falls between the cracks of application security and network security teams. With Safeguard, you can enforce patching policies for critical infrastructure and track compliance across your organization.

crushftpcve-2025-31161authentication-bypassfile-transfer
Back to all articles

Related articles in Vulnerability Analysis

Vulnerability Analysis

CVE-2024-4367 PDF.js Arbitrary Code Execution

CVE-2024-4367 is a PDF.js code-execution flaw via font handling that affects Firefox, Thunderbird, and every embedder. Root cause and remediation.

March 14, 2026Read
Vulnerability Analysis

CVE-2025-24071 Windows Explorer NTLM Hash Leak

A .library-ms file extracted from a zip archive can leak NTLM hashes without the user opening anything. Breakdown of CVE-2025-24071 and the defensive response.

March 12, 2026Read
Vulnerability Analysis

CVE-2024-29849 Veeam Auth Bypass Analysis

CVE-2024-29849 is a CVSS 9.8 auth bypass in Veeam Backup Enterprise Manager. Root cause, exploitation, detection, and patching guidance.

March 10, 2026Read

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.