External risk intelligence

CrushFTP Authentication Bypass Allows Account Takeover.

CVE advisoryKnown Exploit

CVE-2025-31161

An authentication bypass vulnerability exists in CrushFTP, potentially allowing unauthorized access to administrative accounts and full system compromise. This presents a significant business risk due to the ease of exploitation and potential for data breaches. Organizations should identify and update affected software

5Halo Surface Signal

Authentication Bypass

Crushftp

10.0.0 to before 10.8.411.0.0 to before 11.3.1

External exposure likelihood

Halo Surface Signal score for CVE-2025-31161

CrushFTP is a file transfer server application designed to be internet-facing for remote file access and management. It provides a public-facing web interface and FTP/HTTPS services that are commonly exposed to the internet by design to facilitate file exchange between external users and the organization.

Horizon Alert

Summary of the vulnerability and why it matters

A vulnerability has been identified in CrushFTP software. This flaw could allow unauthorized access to administrative accounts. Exploitation could lead to a complete system compromise and unauthorized data access.

Vulnerable CrushFTP software
Flaw allows authentication bypass
Potential for full system takeover

Attack Path

How an attacker could exploit the issue

This vulnerability allows an attacker to bypass authentication and gain control of administrative accounts. The attack exploits a race condition within the server's authorization process, which can be further exploited by sending a specially crafted HTTP header. This bypass enables an attacker to authenticate as any known or guessable user, leading to a full system compromise.

Unauthenticated network access required.
Attacker sends malformed header.
Full system control is gained.

Live Threat

Current exploitation, exposure, and threat context

The identified vulnerability in CrushFTP presents a significant risk due to its ease of exploitation and the potential for complete system compromise. Exploitation requires no specialized skills and can be performed remotely without prior access. Attackers can bypass authentication to gain administrative control, leading to severe data breaches and operational disruption. Organizations utilizing the affected versions should consider this a high-priority issue.

Likely attacker skill level: Low
Required access or conditions: None
Business risk or urgency: High

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

This vulnerability allows unauthenticated attackers to bypass authentication and gain administrative control of the affected system. Exploitation can lead to a full compromise of the affected organization's data and systems. This poses a significant business risk due to the potential for unauthorized access and control.

Identify all instances of the affected software.
Restrict network access to the software.
Apply vendor updates and verify remediation.
Monitor for related activity.

Frequently asked questions

What is CrushFTP and its primary function?

CrushFTP is a file transfer server software that organizations use for secure and managed file exchange with external parties over the internet. It supports protocols like FTP and HTTPS for remote file access and management.

What kind of weakness does CVE-2025-31161 represent in CrushFTP?

CVE-2025-31161 is an authentication bypass weakness (CWE-305). This allows an attacker to circumvent the normal login process and impersonate any user, including administrators, without needing valid credentials.

How can an attacker exploit the CrushFTP authentication bypass vulnerability?

An attacker can exploit this by sending a malformed HTTP header with only the username and a trailing slash. This triggers an authentication process that bypasses password verification due to an index-out-of-bounds error, allowing access as any known or guessable user.

What is the relevance of CVE-2025-31161 according to Halo Surface Signal?

Halo Surface Signal scores this CVE as 'Very likely' due to CrushFTP's nature as an internet-facing file transfer server, commonly exposed online for remote access and management via web and FTP/HTTPS services.

What steps should be taken to respond to this CrushFTP vulnerability?

Organizations should identify all instances of affected CrushFTP software, restrict network access to it, apply vendor updates, and verify that remediation is successful. Monitoring for related malicious activity is also recommended.

References

Written by Nicholas Merritt

External-surface CVE analysis and Halo Surface Signal prioritization for Halo Threat Intelligence.