CVE-2025-31161

Description

CrushFTP 10 before 10.8.4 and 11 before 11.3.1 allows authentication bypass and takeover of the crushadmin account (unless a DMZ proxy instance is used), as exploited in the wild in March and April 2025, aka "Unauthenticated HTTP(S) port access." A race condition exists in the AWS4-HMAC (compatible with S3) authorization method of the HTTP component of the FTP server. The server first verifies the existence of the user by performing a call to login_user_pass() with no password requirement. This will authenticate the session through the HMAC verification process and up until the server checks for user verification once more. The vulnerability can be further stabilized, eliminating the need for successfully triggering a race condition, by sending a mangled AWS4-HMAC header. By providing only the username and a following slash (/), the server will successfully find a username, which triggers the successful anypass authentication process, but the server will fail to find the expected SignedHeaders entry, resulting in an index-out-of-bounds error that stops the code from reaching the session cleanup. Together, these issues make it trivial to authenticate as any known or guessable user (e.g., crushadmin), and can lead to a full compromise of the system by obtaining an administrative account.

Comprehensive Technical Analysis of CVE-2025-31161

1. Vulnerability Assessment and Severity Evaluation

CVE ID: CVE-2025-31161 CISA Vulnerability Name: CrushFTP Authentication Bypass Vulnerability CVSS Score: 9.8

The CrushFTP Authentication Bypass Vulnerability (CVE-2025-31161) is a critical security flaw that allows unauthorized access to the CrushFTP server. The vulnerability is rated with a CVSS score of 9.8, indicating a high severity due to the potential for complete system compromise. The vulnerability affects CrushFTP versions 10 before 10.8.4 and 11 before 11.3.1.

2. Potential Attack Vectors and Exploitation Methods

The vulnerability arises from a race condition in the AWS4-HMAC authorization method used by the HTTP component of the CrushFTP server. The server's authentication process can be bypassed by exploiting this race condition, which allows an attacker to authenticate without providing a valid password.

Exploitation Methods:

Race Condition Exploitation: An attacker can send multiple authentication requests simultaneously to exploit the race condition, leading to successful authentication without a valid password.
Mangled AWS4-HMAC Header: By sending a mangled AWS4-HMAC header with only the username and a following slash (/), the server fails to find the expected SignedHeaders entry, resulting in an index-out-of-bounds error. This error prevents the server from reaching the session cleanup phase, allowing the attacker to authenticate as any known or guessable user, such as the administrative account (crushadmin).

3. Affected Systems and Software Versions

Affected Versions:

CrushFTP 10 before 10.8.4
CrushFTP 11 before 11.3.1

Mitigating Factor:

The vulnerability is mitigated if a DMZ proxy instance is used.

4. Recommended Mitigation Strategies

Update Software: Immediately update to CrushFTP version 10.8.4 or later for version 10, and version 11.3.1 or later for version 11.
Implement DMZ Proxy: Use a DMZ proxy instance to mitigate the vulnerability.
Network Segmentation: Segregate the CrushFTP server from other critical systems to limit the potential impact of a compromise.
Monitoring and Logging: Enhance monitoring and logging to detect and respond to any suspicious authentication attempts.
Access Controls: Implement strict access controls and multi-factor authentication (MFA) to add an additional layer of security.

5. Impact on Cybersecurity Landscape

The CrushFTP Authentication Bypass Vulnerability highlights the importance of robust authentication mechanisms and the potential risks associated with race conditions in software. This vulnerability underscores the need for:

Regular software updates and patch management.
Implementation of defense-in-depth strategies.
Continuous monitoring and incident response capabilities.

6. Technical Details for Security Professionals

Technical Overview:

The vulnerability is rooted in the AWS4-HMAC authorization method, which is compatible with S3.
The server performs a call to login_user_pass() with no password requirement, leading to a race condition.
The race condition allows the attacker to authenticate the session through the HMAC verification process without proper user verification.
Sending a mangled AWS4-HMAC header with only the username and a following slash (/) triggers an index-out-of-bounds error, preventing session cleanup and allowing unauthorized access.

Detection and Response:

Detection: Monitor for unusual authentication patterns, such as multiple failed login attempts followed by successful logins without passwords.
Response: Isolate the affected server, update the software, and review logs for any signs of compromise.

References:

By addressing this vulnerability promptly and implementing the recommended mitigation strategies, organizations can significantly reduce the risk of unauthorized access and potential system compromise.

Description

Comprehensive Technical Analysis of CVE-2025-31161

1. Vulnerability Assessment and Severity Evaluation

CVE ID: CVE-2025-31161 CISA Vulnerability Name: CrushFTP Authentication Bypass Vulnerability CVSS Score: 9.8

2. Potential Attack Vectors and Exploitation Methods

Exploitation Methods:

Race Condition Exploitation: An attacker can send multiple authentication requests simultaneously to exploit the race condition, leading to successful authentication without a valid password.
Mangled AWS4-HMAC Header: By sending a mangled AWS4-HMAC header with only the username and a following slash (/), the server fails to find the expected SignedHeaders entry, resulting in an index-out-of-bounds error. This error prevents the server from reaching the session cleanup phase, allowing the attacker to authenticate as any known or guessable user, such as the administrative account (crushadmin).

3. Affected Systems and Software Versions

Affected Versions:

CrushFTP 10 before 10.8.4
CrushFTP 11 before 11.3.1

Mitigating Factor:

The vulnerability is mitigated if a DMZ proxy instance is used.

4. Recommended Mitigation Strategies

Update Software: Immediately update to CrushFTP version 10.8.4 or later for version 10, and version 11.3.1 or later for version 11.
Implement DMZ Proxy: Use a DMZ proxy instance to mitigate the vulnerability.
Network Segmentation: Segregate the CrushFTP server from other critical systems to limit the potential impact of a compromise.
Monitoring and Logging: Enhance monitoring and logging to detect and respond to any suspicious authentication attempts.
Access Controls: Implement strict access controls and multi-factor authentication (MFA) to add an additional layer of security.

5. Impact on Cybersecurity Landscape

Regular software updates and patch management.
Implementation of defense-in-depth strategies.
Continuous monitoring and incident response capabilities.

6. Technical Details for Security Professionals

Technical Overview:

The vulnerability is rooted in the AWS4-HMAC authorization method, which is compatible with S3.
The server performs a call to login_user_pass() with no password requirement, leading to a race condition.
The race condition allows the attacker to authenticate the session through the HMAC verification process without proper user verification.
Sending a mangled AWS4-HMAC header with only the username and a following slash (/) triggers an index-out-of-bounds error, preventing session cleanup and allowing unauthorized access.

Detection and Response:

Detection: Monitor for unusual authentication patterns, such as multiple failed login attempts followed by successful logins without passwords.
Response: Isolate the affected server, update the software, and review logs for any signs of compromise.

References:

CrushFTP Authentication Bypass Vulnerability

Weakness (CWE)

CVSS Vector

Description

Comprehensive Technical Analysis of CVE-2025-31161

1. Vulnerability Assessment and Severity Evaluation

2. Potential Attack Vectors and Exploitation Methods

3. Affected Systems and Software Versions

4. Recommended Mitigation Strategies

5. Impact on Cybersecurity Landscape

6. Technical Details for Security Professionals

References

CVE-2025-31161

CrushFTP Authentication Bypass Vulnerability

Weakness (CWE)

CVSS Vector

Description

Comprehensive Technical Analysis of CVE-2025-31161

1. Vulnerability Assessment and Severity Evaluation

2. Potential Attack Vectors and Exploitation Methods

3. Affected Systems and Software Versions

4. Recommended Mitigation Strategies

5. Impact on Cybersecurity Landscape

6. Technical Details for Security Professionals

References