Summary: The Cybersecurity and Infrastructure Security Agency (CISA) has added a critical vulnerability (CVE-2025-31161) affecting CrushFTP, a widely utilized FTP server software. This Authentication Bypass Vulnerability enables attackers to bypass authentication processes, take over administrative accounts, and potentially compromise sensitive data. Users are urged to update to secure versions to mitigate this serious risk.
Affected: CrushFTP (versions 10.0.0 to 10.8.3 and 11.0.0 to 11.3.0)
Keypoints :
- Critical Authentication Bypass Vulnerability CVE-2025-31161 allows attackers to authenticate without valid credentials.
- The flaw is linked to a race condition in the AWS4-HMAC authorization method within CrushFTP’s HTTP component.
- Users are advised to upgrade to CrushFTP versions 10.8.4 or 11.3.1 or later to avoid exploitation.
- Implementing additional security measures, such as a DMZ proxy and enabling automated updates, is highly recommended.
- This vulnerability has been actively exploited, emphasizing the urgency for updates to prevent data breaches and unauthorized access.
Source: https://thecyberexpress.com/cisa-adds-cve-2025-31161-to-kev-catalog/