The recent addition of a new vulnerability to the Cybersecurity and Infrastructure Security Agency (CISA) Known Exploited Vulnerabilities Catalog has raised concerns among users of CrushFTP, a popular FTP server software. This vulnerability, known as CVE-2025-31161, specifically affects versions of CrushFTP prior to 10.8.4 and 11.3.1, leaving users vulnerable to an authentication bypass attack.
CVE-2025-31161 allows attackers to bypass authentication mechanisms and take over administrative accounts, such as the “crushadmin” account, unless specific protective measures like a DMZ proxy instance are in place. The vulnerability is linked to a race condition in the AWS4-HMAC authorization method used by CrushFTP’s HTTP component.
The flaw enables attackers to authenticate as any user, including administrative accounts, without needing to provide the correct password. This authentication bypass not only facilitates unauthorized access but also allows for full system compromise, putting sensitive data and critical infrastructure at risk.
The vulnerability in CrushFTP arises from the way the server verifies user credentials during the login process. The server first checks if a username exists without requiring a password, allowing the session to be authenticated through the HMAC verification process. However, the server fails to fully check the user’s credentials until later, creating a window of opportunity for an attacker to inject a manipulated AWS4-HMAC header. This leads to an anypass authentication process, where the server mistakenly authenticates the attacker as a valid user.
The impact and severity of CVE-2025-31161 are significant, with a CVSS score of 9.8, classifying it as critical. This high severity rating indicates that the flaw poses a risk to organizations using affected versions of CrushFTP, potentially leading to data breaches, unauthorized access to sensitive files, and system outages.
To mitigate the risk posed by CVE-2025-31161, users are strongly advised to update to the latest versions of CrushFTP – 10.8.4 or later and 11.3.1 or later. Updating to the latest secure versions and enabling automated updates can enhance protection against vulnerabilities. Users on older versions of CrushFTP are urged to update immediately to avoid unauthorized access.
In conclusion, the CVE-2025-31161 vulnerability underscores the importance of regular security patches and implementing additional security measures to protect against potential exploits. Users must remain vigilant and proactive in securing their systems to mitigate the risks posed by such vulnerabilities.