CrushFTP CVE-2025-31161 Auth Bypass and Post-Exploitation

April 7, 2025, 8:34 a.m.

Description

A critical vulnerability (CVE-2025-31161) in CrushFTP managed file transfer software allows attackers to bypass authentication and gain admin-level access. Affecting versions 10.0.0-10.8.3 and 11.0.0-11.3.0, the flaw enables unauthorized actions, including data retrieval and administrative control. Exploitation has been observed since March 30, 2025, with ~1,500 vulnerable instances exposed. Post-exploitation activities include creating backdoor accounts, deploying MeshCentral agents, and using AnyDesk for remote access. A Telegram bot-based malware was also identified. The vulnerability stems from improper S3 authorization header processing and can be exploited with a simple HTTP request. Immediate patching to versions 11.3.1+ or 10.8.4+ is strongly recommended.

External References

https://otx.alienvault.com/pulse/67f0e1f9e7eb1709fa231134
https://www.huntress.com/blog/crushftp-cve-2025-31161-auth-bypass-and-post-exploitation
Tags
anydesk
meshcentral
authentication bypass
CVE-2025-31161
2025-04-05
telegram bot
crushftp
meshcentral agent

Date

  • Created: April 5, 2025, 7:55 a.m.
  • Published: April 5, 2025, 7:55 a.m.
  • Modified: April 7, 2025, 8:34 a.m.

Attack Patterns

  • Telegram bot malware
  • MeshCentral agent
  • AnyDesk

Additional Informations

  • Marketing
  • Retail
  • Semiconductor
  • Technology