CVE-2025-31161 is a severe vulnerability in CrushFTP that allows attackers to bypass user authentication, potentially leading to admin access and further exploitation. Organizations are urged to patch affected software versions immediately to mitigate risks. Affected: CrushFTP (versions 10.0.0 to 10.8.3, 11.0.0 to 11.3.0)
Keypoints :
- CVE-2025-31161 is rated with a critical severity score of 9.8 on the CVSS scale.
- The vulnerability allows an attacker to bypass authentication in CrushFTP versions 10.0.0 to 10.8.3 and 11.0.0 to 11.3.0.
- Successful exploitation can lead to administrative access and control over the CrushFTP application.
- The vulnerability affects publicly exposed instances of CrushFTP, with around 1,500 currently known to be vulnerable.
- Patch versions have been released, and users are strongly advised to upgrade to CrushFTP versions 10.8.4+ or 11.3.1+.
- Post-exploitation activity has involved the use of RMM tools like MeshCentral and AnyDesk by attackers.
MITRE Techniques :
- T1071.001 – Application Layer Protocol: HTTP – Attacker used HTTP requests to manipulate authentication processes.
- T1068 – Exploitation for Client Execution: Admin access was exploited for creating backdoors and performing administrative actions.
- T1203 – Exploitation for Client Execution: Utilized CVE-2025-31161 to execute unauthorized command sequences.
Indicator of Compromise :
- [Attacker IP Address] 172.235.144[.]67
- [Attacker IP Address] 2.58.56[.]16
- [Backdoor Account Name] Eaion6Mz
- [File Path] C:WindowsTempd3d11.dll
- [File Path] C:WindowsTempmesch.exe
Full Story: https://huntress.com/blog/crushftp-cve-2025-31161-auth-bypass-and-post-exploitation
Views: 44