Ethical Hacking News
A critical security flaw in CrushFTP has been added to the Known Exploited Vulnerabilities (KEV) catalog following confirmed active exploitation in the wild. This vulnerability, CVE-2025-31161, is a case of authentication bypass that could permit an unauthenticated attacker to take over susceptible instances. The exploit allows an attacker to authenticate to any known or guessable user account, potentially leading to a full compromise.
CISA added CrushFTP to its Known Exploited Vulnerabilities (KEV) catalog due to confirmed active exploitation in the wild. The vulnerability, CVE-2025-31161, is an authentication bypass that allows unauthenticated attackers to take over susceptible instances. The shortcoming has a high CVSS score of 9.8 and was previously tracked as CVE-2025-2825. Over 815 unpatched instances are vulnerable to the flaw, with many located in North America and Europe. Federal Civilian Executive Branch (FCEB) agencies are required to apply patches by April 28 to secure their networks.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical security flaw in CrushFTP to its Known Exploited Vulnerabilities (KEV) catalog following confirmed active exploitation in the wild. This vulnerability, CVE-2025-31161, is a case of authentication bypass that could permit an unauthenticated attacker to take over susceptible instances. The exploit allows an attacker to authenticate to any known or guessable user account, potentially leading to a full compromise.
The shortcoming has been assigned a high CVSS score of 9.8 and was previously tracked as CVE-2025-2825, which has now been marked Rejected in the CVE list. This highlights the severity of the issue and the need for users to take immediate action to patch their systems.
Outpost24, which is credited with responsibly disclosing the flaw to the vendor, has stepped in to clarify that it requested a CVE number from MITRE on March 13, 2025, and that it was coordinating with CrushFTP to ensure that the fixes were rolled out within a 90-day disclosure period. However, it wasn't until March 27 that MITRE assigned the flaw the CVE CVE-2025-31161, by which time VulnCheck had released a CVE of its own without contacting "CrushFTP or Outpost24 beforehand to see if a responsible disclosure process was already underway."
This has led to controversy and confusion regarding the disclosure process associated with the flaw. The Swedish cybersecurity company has since released step-by-step instructions to trigger the exploit, which include generating a random alphanumeric session token of a minimum 31 characters in length, setting a cookie called CrushAuth to the value generated in step 1, setting a cookie called currentAuth to the last 4 characters of the value generated in step 1, and performing an HTTP GET request to the target /WebInterface/function/ with the cookies from steps 2 and 3, as well as an Authorization header set to "AWS4-HMAC=/," where is the user to be signed in as (e.g., crushadmin).
The net result of these actions is that the session generated at the start gets authenticated as the chosen user, allowing an attacker to execute any commands that user has rights to. This highlights the severity of the vulnerability and the need for users to take immediate action to patch their systems.
Huntress, which re-created a proof-of-concept for CVE-2025-31161, said it observed in-the-wild exploitation of CVE-2025-31161 on April 3, 2025, and that it uncovered further post-exploitation activity involving the use of MeshCentral agent and other malware. There is some evidence to suggest that the compromise may have happened as early as March 30.
The cybersecurity firm said it has seen exploitation efforts targeting four distinct hosts from four different companies to date, adding three of those affected were hosted by the same managed service provider (MSP). The names of the impacted companies were not disclosed, but they belong to marketing, retail, and semiconductor sectors.
The threat actors have been found to weaponize the access to install legitimate remote desktop software such as AnyDesk and MeshAgent, while also taking steps to harvest credentials in at least one instance. After deploying MeshAgent, the attackers are said to have added a non-admin user ("CrushUser") to the local administrators group and delivered another C++ binary ("d3d11.dll"), an implementation of the open-source library TgBot.
"Tt is likely that the threat actors are making use of a Telegram bot to collect telemetry from infected hosts," Huntress researchers said. As of April 6, 2025, there are 815 unpatched instances vulnerable to the flaw, with 487 of them located in North America and 250 in Europe.
In light of active exploitation, Federal Civilian Executive Branch (FCEB) agencies are required to apply the necessary patches by April 28 to secure their networks. This highlights the severity of the issue and the need for users to take immediate action to patch their systems.
The vulnerability has been added to CrushFTP following confirmed active exploitation in the wild. The vulnerability is a case of authentication bypass that could permit an unauthenticated attacker to take over susceptible instances. It has been fixed in versions 10.8.4 and 11.3.1. The shortcoming has been assigned a high CVSS score of 9.8.
Related Information:
https://www.ethicalhackingnews.com/articles/CrushFTP-Vulnerability-A-Critical-Security-Flaw-with-Devastating-Consequences-ehn.shtml
Published: Tue Apr 8 05:04:03 2025 by llama3.2 3B Q4_K_M
