A critical authentication bypass vulnerability in CrushFTP, tracked as CVE-2025-31161, is being actively exploited in the wild. The flaw allows remote, unauthenticated attackers to impersonate valid users, including the default crushadmin account, and perform administrative actions without credentials.
The vulnerability affects CrushFTP versions 10.0.0 to 10.8.3 and 11.0.0 to 11.3.0.
The issue lies in a race condition and flawed logic within the AWS4-HMAC authentication mechanism, allowing attackers to bypass standard login flows with specially crafted HTTP headers.
Technical Overview
CVE-2025-31161 abuses how the FTP server processes S3-style AWS authorization headers. Attackers can:
- Send a Credential=crushadmin/ header
- Supply a malformed or placeholder CrushAuth cookie
- Trigger a logic bug that skips proper verification checks
If the SignedHeaders field is malformed or missing, the server throws an internal error after granting access—allowing session persistence without cleanup.
This results in full access to administrative functions, including user creation, file upload/download, and execution of remote commands.
Exploitation in the Wild
Security researchers have confirmed that exploitation of CVE-2025-31161 began as early as March 30, 2025. Threat actors are targeting public-facing CrushFTP servers for:
- Deploying backdoors via new admin accounts (e.g., Eaion6Mz)
- Installing RMM tools like MeshCentral, SimpleHelp, and AnyDesk
- Dropping malware, including Telegram bot-controlled DLLs
Evidence of post-exploitation includes:
- Credential dumping via registry hive access
- Abuse of crushadmin privileges to alter user configs
- Installation of Cloudflare Tunnels for persistence
Detection and Indicators of Compromise (IOCs)
Key Indicators:
- HTTP logs containing Authorization: AWS4-HMAC-SHA256 Credential=crushadmin/
- Session logs referencing CrushAuth cookies with ~31-character strings
- Unusual POST requests to /WebInterface/function/ endpoints
- Creation of unexpected admin users (e.g., vmadmin, Eaion6Mz)
- File uploads to C:\Windows\Temp\ (e.g., mesch.exe, d3d11.dll, storm.exe)
Observed Attacker IPs:
- 172.235.144[.]67
- 2.58.56[.]16
- 143.244.47[.]67
- 146.70.166[.]201
Mitigation Steps
- Upgrade Immediately:
- Version 10.8.4+ for CrushFTP 10
- Version 11.3.1+ for CrushFTP 11
- Version 10.8.4+ for CrushFTP 10
- Isolate Public-Facing Instances:
- Use DMZ proxy configurations as recommended by the vendor
- Use DMZ proxy configurations as recommended by the vendor
- Audit Logs for Exploitation Attempts:
- Focus on CrushFTP.log and /logs/session_logs/
- Focus on CrushFTP.log and /logs/session_logs/
- Revoke Credentials and Reset Passwords for any compromised accounts
- Deploy EDR or SIEM detection rules to identify shell processes spawned by CrushFTPService.exe
OP Innovate’s Guidance
Organizations using CrushFTP are urged to take action now. This vulnerability enables full system compromise with no authentication and minimal complexity. The use of default admin accounts (crushadmin) and the presence of public PoC exploits significantly raise the risk of mass exploitation.
If you’re unsure whether your systems are exposed or have already been compromised, OP Innovate’s Incident Response team is available for immediate consultation and triage.
