CrowdSec
4/10CrowdSec Score

CrushFTP - Authentication Bypass (CVE-2025-31161)

Published on26-03-2025
First seen on25-04-2025
CVSS 9.8/10CrushFTP - CrushFTP

128Exploiting IPs reported

CrushFTP versions 10.0.0 through 10.8.3 and 11.0.0 through 11.3.0 are affected by a vulnerability that allows authentication bypass and takeover of the crushadmin account (unless a DMZ proxy instance is used), as exploited in the wild in March and April 2025, aka "Unauthenticated HTTP(S) port access." A race condition exists in the AWS4-HMAC (compatible with S3) authorization method of the HTTP component of the FTP server. The server first verifies the existence of the user by performing a call to login_user_pass() with no password requirement.

CrowdSec analysis

CVE-2025-31161 is a critical vulnerability affecting CrushFTP that enables authentication bypass, potentially allowing attackers to take over administrative accounts without valid credentials.

CrowdSec has been tracking this vulnerability and its exploits since 7th of April 2025.

Insights from the CrowdSec network reveal that the attackers trying to exploit CVE-2025-31161 are composed of a fairly even mix of opportunistic and targeted actors. Some attackers employ preliminary reconnaissance, while others use indiscriminate scanning. Data from the CrowdSec community also indicates a gradual decrease in attacks targeting CVE-2025-31161. While still present in the wild, exploitation levels have dropped noticeably week-over-week. This may signal that the vulnerability is becoming less relevant or that defenses are improving fast enough for attackers to lose interest.

Exploit attempts are specifically directed towards URLs containing /webinterface/function/ along with certain user-related parameters.

Exploitation

Get real-time information about exploitation attempts and actors involved.

Detected IPs

Discover the IPs that targeted this vulnerability across the CrowdSec Network.

Common Weakness Enumeration (CWE)

Protection

Find out relevant information to protect your stack against this CVE.

Blocklist

With our advanced worldwide network detection, CrowdSec can provide a list of IPs known for exploiting the vulnerability.

To increase your protection against this CVE, block exploitation attempts with this list of identified actors.

References