CVE-2025-31161# CVE-2025-31161 – Authentication Bypass in CrushFTP 👊
| Category | Details |
| ------------------------ | ---------------------------------------- |
| **CVE ID** | CVE-2025-31161 |
| **Severity** | Critical |
| **CVSS Score** | 9.8 (CVSS 3.1) |
| **Impact** | Full unauthenticated access |
| **Attack Vector** | Network (HTTP/S) |
| **Authentication** | Not required |
| **Affected Software** | CrushFTP 10.0.0–10.8.3 and 11.0.0–11.3.0 |
| **Fixed In** | Versions 10.8.4 and 11.3.1 |
| **Exploitation Status** | Actively exploited in the wild |
| **Disclosure** | March/April 2025 |
| **Included in CISA KEV** | Yes |
---
### 🧠 Vulnerability Details:
* The vulnerability lies in the **AWS4-HMAC-SHA256 authentication** used by CrushFTP.
* A specially crafted request containing a malformed `Authorization` header (e.g., `Credential=crushadmin/`) triggers an **authentication bypass**.
* The logic flaw can be exploited to **skip user validation checks**, often due to an **index-out-of-bounds** issue.
* An attacker can use **any known or default username** like `crushadmin` **without a password** to gain access.
---
### 🚨 Exploitation & Impact:
* Attackers exploited this in the wild to:
* Upload files and web shells
* Create backdoor user accounts
* Dump credentials and configuration files
* Deploy remote access tools (e.g., AnyDesk, MeshCentral)
* Approximately 1,500 vulnerable instances were detected exposed online.
* The exploit is **simple and reliable**, making it highly dangerous for internet-facing servers.
---
### 🛡️ Recommended Mitigations:
1. **Update CrushFTP** to version 10.8.4 or 11.3.1 immediately.
2. **If unable to patch**, use the **DMZ proxy** workaround to isolate HTTP/S access.
3. **Audit server logs** for unusual `Authorization` headers or unexpected admin activity.
4. **Restrict access** to the admin interface from public networks.
5. **Rotate credentials** and check for suspicious users, files, or tools on the server.
---
### ⚙️ Usage:
<img width="1920" height="1031" alt="bug29" src="https://github.com/user-attachments/assets/bd9bbeaf-4638-4e6e-ae09-2cc894d4764e" />
<img width="1920" height="1032" alt="bug30" src="https://github.com/user-attachments/assets/82baaed3-124e-4ba1-a075-0ea9abbbe3e7" />
```
usage: cve-2025-31161.py [-h] [--target_host TARGET_HOST] [--port PORT] [--target_user TARGET_USER] [--new_user NEW_USER] [--password PASSWORD]
Exploit CVE-2025-2825
options:
-h, --help show this help message and exit
--target_host TARGET_HOST
Target host
--port PORT Target port
--target_user TARGET_USER
Target user
--new_user NEW_USER New user to create
--password PASSWORD Password for the new user
```
### 🔒 Disclaimer:
This content is provided for educational and informational purposes only. Any references to vulnerabilities, tools, or exploits are intended to promote awareness, defensive security, and responsible disclosure. Unauthorized access to systems without permission is illegal and unethical. Always test in controlled environments and respect the laws and regulations of your country.
[4.0K] /data/pocs/6abfa557de271826588615c73203f78fd9debbef
├── [3.4K] CVE-2025-31161.py
└── [3.5K] README.md
0 directories, 2 files