Cloud Vulnerability DB
An open project to list all known cloud vulnerabilities and Cloud Service Provider security issues
Vulnerability DatabaseCVE-2025-31161
CVE-2025-31161:
CrushFTP vulnerability analysis and mitigation
Overview
CVE-2025-31161 is a critical authentication bypass vulnerability affecting CrushFTP versions 10.0.0 through 10.8.3 and 11.0.0 through 11.3.0, discovered in March 2025. The vulnerability, which received a CVSS score of 9.8, allows remote attackers to bypass authentication and gain unauthorized access to CrushFTP servers through exposed HTTP(S) ports. Initially disclosed privately to customers on March 21, 2025, the vulnerability has been actively exploited in the wild since early April 2025 (Outpost24, Huntress).
Technical details
The vulnerability exists in the AWS4-HMAC authorization method of the HTTP component of the FTP server. A race condition in the loginuserpass() function allows authentication without password verification. The flaw can be stabilized by sending a mangled AWS4-HMAC header containing only a username and a forward slash, which triggers successful authentication but fails to complete the session cleanup due to an index-out-of-bounds error. This makes it possible to authenticate as any known user, including the default administrator account 'crushadmin' (ProjectDiscovery, Outpost24).
Impact
Successful exploitation of this vulnerability can lead to complete system compromise by obtaining administrative access. Attackers can access files, upload malicious content, create additional users, and gain full control of the server. The vulnerability is particularly concerning as file transfer solutions like CrushFTP are often targeted by ransomware groups. Over 1,500 vulnerable instances have been identified as exposed online (Infosecurity, DarkReading).
Mitigation and workarounds
CrushFTP has released patches to address the vulnerability. Users should immediately upgrade to version 10.8.4+ (for v10) or 11.3.1+ (for v11). If immediate patching is not possible, enabling the DMZ proxy instance of CrushFTP can serve as a temporary mitigation measure as the exploit does not work with this configuration enabled. The vulnerability has been added to CISA's Known Exploited Vulnerabilities Catalog with a remediation deadline of April 28, 2025 (CrushFTP, NVD).
Community reactions
The vulnerability disclosure process became controversial when multiple CVE identifiers were assigned, causing confusion in the security community. CrushFTP CEO Ben Spink criticized several security companies for premature disclosure and creating duplicate CVEs. The situation led to public disagreements between security vendors and researchers about responsible disclosure practices, potentially accelerating exploitation in the wild (DarkReading).
Additional resources
Source: This report was generated using AI
Free Vulnerability Assessment
Benchmark your Cloud Security Posture
Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.
Get a personalized demo
Ready to see Wiz in action?
“Best User Experience I have ever seen, provides full visibility to cloud workloads.”
David EstlickCISO
“Wiz provides a single pane of glass to see what is going on in our cloud environments.”
Adam FletcherChief Security Officer
“We know that if Wiz identifies something as critical, it actually is.”
Greg PoniatowskiHead of Threat and Vulnerability Management