vpatch-CVE-2025-31161 AppSec Rule

« vpatch-CVE-2025-31161 »
v0.1 by crowdsecurity
AppSec rule

Detects authentication bypass in CrushFTP via crafted Authorization header and specific endpoint access.

Installation

cscli appsec-rules install crowdsecurity/vpatch-CVE-2025-31161

YAML Configuration

1## autogenerated on 2025-05-09 09:01:45
2name: crowdsecurity/vpatch-CVE-2025-31161
3description: 'Detects authentication bypass in CrushFTP via crafted Authorization header and specific endpoint access.'
4rules:
5  - and:
6      - zones:
7          - URI
8        transform:
9          - lowercase
10        match:
11          type: contains
12          value: /webinterface/function/
13      - zones:
14          - ARGS
15        variables:
16          - command
17        transform:
18          - lowercase
19        match:
20          type: equals
21          value: getuserlist
22      - zones:
23          - HEADERS
24        variables:
25          - authorization
26        transform:
27          - lowercase
28        match:
29          type: equals
30          value: aws4-hmac-sha256 credential=crushadmin/
31
32labels:
33  type: exploit
34  service: http
35  confidence: 3
36  spoofable: 0
37  behavior: 'http:exploit'
38  label: 'CrushFTP - Authentication Bypass'
39  classification:
40    - cve.CVE-2025-31161
41    - attack.T1190
42    - cwe.CWE-287
43

Hub Appsec rule

« vpatch-CVE-2025-31161 »v0.1 by crowdsecurityAppSec rule

« vpatch-CVE-2025-31161 »
v0.1 by crowdsecurity
AppSec rule