SentinelOne
CVE Vulnerability Database
Vulnerability Database/CVE-2025-31161

CVE-2025-31161: CrushFTP Authentication Bypass Vulnerability

CVE-2025-31161 is an authentication bypass flaw in CrushFTP that allows attackers to gain unauthorized admin access through a race condition in AWS4-HMAC authorization. This article covers technical details, affected versions, impact, and mitigation strategies.

Updated:

CVE-2025-31161 Overview

CrushFTP 10 before 10.8.4 and 11 before 11.3.1 allows authentication bypass and takeover of the crushadmin account (unless a DMZ proxy instance is used), as exploited in the wild in March and April 2025. This vulnerability is known as "Unauthenticated HTTP(S) port access." A race condition exists in the AWS4-HMAC authorization method, allowing trivial authentication as any known or guessable user.

Critical Impact

Potential for full administrative access and complete system compromise.

Affected Products

  • CrushFTP 10 before 10.8.4
  • CrushFTP 11 before 11.3.1
  • Not Available

Discovery Timeline

  • Not Available - Vulnerability discovered by Not Available
  • Not Available - Responsible disclosure to CrushFTP
  • Not Available - CVE CVE-2025-31161 assigned
  • Not Available - CrushFTP releases security patch
  • 2025-04-03 - CVE CVE-2025-31161 published to NVD
  • 2025-10-31 - Last updated in NVD database

Technical Details for CVE-2025-31161

Vulnerability Analysis

This vulnerability arises from a race condition within the AWS4-HMAC authorization method of CrushFTP's HTTP component. The server erroneously uses login_user_pass() without requiring a password, allowing session authentication. By exploiting this with a mangled AWS4-HMAC header, attackers can achieve authentication bypass and potentially escalate privileges by hijacking known user sessions, such as "crushadmin."

Root Cause

The root cause is an index-out-of-bounds error due to improper handling of authentication headers, leading to authentication bypass.

Attack Vector

The attack vector is network-based, exploiting flawed authentication handling over HTTP(S) ports.

python
# Example exploitation code (sanitized)
import requests

url = "http://example-crushftp-server"
headers = {
    'Authorization': 'AWS4-HMAC-SHA256 Credential=attack_user/20250401/us-east-1/s3/aws4_request, ' +
    'SignedHeaders=host;x-amz-date, Signature=value'
}
response = requests.get(url, headers=headers)

if response.status_code == 200:
    print("Successfully bypassed authentication!")

Detection Methods for CVE-2025-31161

Indicators of Compromise

  • Unexpected logs of crushadmin login without password
  • Unusual access from internal accounts
  • Detected anomalies in login patterns

Detection Strategies

Monitoring for unauthorized accesses, inspecting logs for patterns consistent with known exploitation techniques, and flagging unrecognized credentials used in AWS4-HMAC headers.

Monitoring Recommendations

Integrate behavior analytics within SIEM solutions to detect anomalous login attempts and unauthorized session creations.

How to Mitigate CVE-2025-31161

Immediate Actions Required

  • Upgrade CrushFTP to 10.8.4 / 11.3.1 or higher
  • Implement network segmentation
  • Utilize DMZ proxy instances to isolate services

Patch Information

Patches are available from CrushFTP's update page.

Workarounds

If upgrading is not immediately possible, restrict internal HTTP(S) traffic and enforce strict firewall rules.

bash
# Configuration example
iptables -A INPUT -p tcp --dport 443 -j DROP
iptables -A INPUT -p tcp --dport 80 -j DROP

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne