Critical Authentication Bypass Vulnerabilities: CVE-2025-2825 & CVE-2025-31161 in CrushFTP

Exploitation of this vulnerability can lead to full system compromise. Attackers can impersonate users, perform administrative actions, access sensitive data, and upload malicious content, posing severe risks to affected systems. An attacker could exploit this vulnerability by sending a specially crafted HTTP request to the CrushFTP server. By manipulating the CrushAuth cookie and AWS4-HMAC-SHA256 authorization header, the attacker can bypass authentication and gain unauthorized access to the server and escalate their privileges.

CVE

CVE-2025-2825
CVE-2025-31161

Affected Products

CrushFTP 10.0.0 to 10.8.3 CrushFTP 11.0.0 to 11.3.0

Exploitation

The vulnerability has been added to the CISA database of known exploited vulnerabilities[2]. A proof-of-concept (PoC) is publicly available, further increasing the risk of exploitation[3].

Recommended Actions

If you’re using versions 10.0.0 to 10.8.3, update to version 10.8.4 or later. If you’re using versions 11.0.0 to 11.3.0, update to version 10.8.4 or later. (The exploit does not work if you have the DMZ proxy instance of CrushFTP in place[1].)

Detection

CrushFTP Compromise page[4]. Indicators of Compromise[5]: 172.235.144[.]67 Attacker IP Address 2.58.56[.]16 Attacker IP Address Eaion6Mz Backdoor Account Name C:\Windows\Temp\d3d11.dll be6cb5f80b33b9e97622d278a86a99e67b78ccab0b3e554b8430ae5969bcfc0e TgBot DLL C:\Windows\Temp\mesch.exe 9036c92c3ca73cb6ec2da25035322554319288fd2f6db906413011873ad7e281 MeshAgent Installer Binary

References

[1] https://www.crushftp.com/crush11wiki/Wiki.jsp?page=Update
[2] https://www.cisa.gov/known-exploited-vulnerabilities-catalog
[3] https://projectdiscovery.io/blog/crushftp-authentication-bypass
[4] https://www.crushftp.com/crush11wiki/Wiki.jsp?page=Compromise
[5] https://www.huntress.com/blog/crushftp-cve-2025-31161-auth-bypass-and-post-exploitation#:~:text=Indicators%20of%20Compromise%20(IOCs)