CrushFTP CVE-2025-31161 Auth Bypass Vulnerability and Exploitation Analysis

Key Information Summary Vulnerability Overview Vulnerability Name: CrushFTP auth bypass vulnerability (CVE-2025-31161) CVSS Score: 9.8 (Critical) Affected Scope: Unpatched versions of CrushFTP v10 or v11 Exploitation Method: Remote attackers can exploit this vulnerability to gain unauthorized access to devices running CrushFTP servers Timeline March 17, 2023: Outpost24 requested a CVE ID from MITRE March 18, 2023: Outpost24 contacted CrushFTP to report the discovered vulnerability March 19, 2023: Outpost24 met with CrushFTP CEO Ben Spink to discuss technical details; CrushFTP quickly developed a patch March 20–21, 2023: Further discussions with CrushFTP on disclosure; due to severity, it was critical to ensure CrushFTP users were promptly informed and upgraded March 25, 2023: VulnCheck published a CVE (CVE-2025-2825) for the vulnerability, but did not notify CrushFTP or Outpost24 March 27, 2023: MITRE assigned a separate CVE ID: CVE-2025-31161 March 28, 2023: Media began reporting on the vulnerability; other parties exploited the situation by publishing blogs and PoC code Vulnerability Details Location: HTTP Authorization header in CrushFTP Target Function: AWS4-HMAC-SHA256 authentication, used for Amazon service support Bypass Mechanism: The server retrieves user information after receiving the initial authentication mechanism and authenticates the user immediately without requiring a password. Although subsequent requests require a password, using any valid username allows the session to remain active for a period Exploitation Difficulty: Requires a very short time window; theoretically achievable by sending a modified Authorization header to complete the request before session initialization Risk: Many users choose "crashadmin" as the admin username or use easily guessable usernames, making it trivial to exploit and gain administrative privileges Exploitation Steps 1. Generate a random alphanumeric session token (at least 31 characters) 2. Set a cookie named with the value of the token generated in step 1 3. Create a cookie named with the value of the first 4 characters of the token from step 1 4. Send an HTTP GET request to , including the cookies from steps 2 and 3, and set the Authorization header to , where is the target user (e.g., ) 5. The session created in step 1 should now be authenticated as the selected user, allowing execution of any commands permitted to that user Mitigation Measures Immediately upgrade to CrushFTP version 10.8.4 or 11.3.1 or later Use Outpost24’s Cubetiq Flex solution for continuous monitoring and protection of application attack surfaces

Goal Reached Thanks to every supporter — we hit 100%!

CrushFTP CVE-2025-31161 Auth Bypass Vulnerability and Exploitation Analysis