The Cybersecurity and Infrastructure Safety Company (CISA) has not too long ago added a brand new vulnerability to its Identified Exploited Vulnerabilities Catalog. The vulnerability, recognized as CVE-2025-31161, is an Authentication Bypass Vulnerability in CrushFTP, a broadly used FTP server software program.
CVE-2025-31161 particularly impacts variations of CrushFTP previous to 10.8.4 and 11.3.1, leaving customers susceptible to an authentication bypass assault. This flaw permits attackers to bypass authentication mechanisms and take over administrative accounts, such because the “crushadmin” account except particular protecting measures like a DMZ proxy occasion are in place. The vulnerability is linked to a race situation within the AWS4-HMAC (suitable with S3) authorization methodology utilized by CrushFTP’s HTTP element.
The flaw permits attackers to authenticate as any consumer, together with administrative accounts, with no need to supply the right password. By exploiting the vulnerability, attackers can bypass commonplace authentication processes, making it trivial to compromise the system. This flaw not solely facilitates unauthorized access but additionally permits for full system compromise, placing delicate knowledge and demanding infrastructure in danger.
How Does CVE-2025-31161 Vulnerability Work?
The vulnerability arises from the way in which CrushFTP verifies consumer credentials through the login course of. Particularly, the server first checks if a username exists with out requiring a password, permitting the session to be authenticated via the HMAC verification course of. Nevertheless, the server fails to completely verify the consumer’s credentials till later, making a window of alternative for an attacker to inject a manipulated AWS4-HMAC header.
This results in an anypass authentication course of, the place the server mistakenly authenticates the attacker as a legitimate consumer. Moreover, by manipulating the AWS4-HMAC header, the attacker can set off an “index-out-of-bounds” error that stops the session from being cleaned up, successfully permitting the attacker to retain entry indefinitely. This mix of things makes the flaw notably harmful and straightforward to exploit.
Impression and Severity of CVE-2025-31161
The vulnerability has been categorised as crucial, with a CVSS rating of 9.8. This excessive severity score signifies that the flaw poses a risk to organizations utilizing affected variations of CrushFTP. The vulnerability is especially regarding as a result of it might result in the total compromise of programs, together with the power to take over administrative accounts with out correct authorization.
This flaw is not just a theoretical risk but has been actively exploited in the wild, making it important for users to take immediate action. If left unaddressed, the vulnerability could lead to data breaches, unauthorized access to sensitive files, and potential system outages.
Affected Variations and Mitigation
The next variations of CrushFTP are affected by the Authentication Bypass Vulnerability:
- CrushFTP 10.0.0 to 10.8.3
- CrushFTP 11.0.0 to 11.3.0
To mitigate the chance, customers are strongly suggested to replace to the most recent variations:
- CrushFTP 10.8.4 or later
- CrushFTP 11.3.1 or later
For many who haven’t but up to date, it’s crucial to take action as quickly as potential to keep away from publicity to this vulnerability. The replace course of is easy and may be completed from the CrushFTP dashboard.
If direct updates aren’t potential, customers can obtain the most recent variations manually and apply the patches offline.
Conclusion
To reinforce safety in opposition to vulnerabilities like CVE-2025-31161, customers shouldn’t solely replace CrushFTP to the most recent safe variations but additionally allow automated updates by setting the “daily_check_and_auto_update_on_idle” flag within the preferences XML file for v11.2.3_19+.
Moreover, configuring e mail reset URL domains and implementing additional safety measures, equivalent to a DMZ proxy, is extremely really helpful. Customers on older variations like v10.6.1 or v10.5.5 should replace instantly to keep away from unauthorized entry.
This vulnerability will not be an remoted subject, as earlier CrushFTP variations have additionally been focused by flaws equivalent to password reset exploits and XSS bugs, emphasizing the necessity for normal safety patches.
Associated
Media Disclaimer: This report relies on inner and exterior analysis obtained via numerous means. The data offered is for reference functions solely, and customers bear full duty for his or her reliance on it. The Cyber Express assumes no legal responsibility for the accuracy or penalties of utilizing this info.
