CVE CyberSecurity Database News

CVE-2025-31161 - CrushFTP Authentication Bypass & Admin Takeover Explained

Poster -

CrushFTP is a popular secure FTP, WebDAV, S3, and HTTP(S) file server solution, used by organizations globally. But in March and April 2025, attackers began exploiting a dangerous zero-day: CVE-2025-31161, which allows anyone on the internet to bypass authentication and take over the admin account on vulnerable servers.

Let's break down exactly how this works, offer simple code snippets, and show you how critical this is—plus where to get more info.

What’s the Core Issue?

CrushFTP versions 10 (before 10.8.4) and 11 (before 11.3.1) have a logic and race condition flaw in their AWS4-HMAC ("S3 compatible") HTTP authorization code.

What does this mean?

An attacker can effectively log in as any user (for example, the crushadmin superuser), without knowing or guessing the password, simply by abusing the S3 API’s way of authenticating users.

Where's the Flaw?

The vulnerable code verifies if a user exists using a “username only” HTTP header, and does this *before* verifying the password/secret via HMAC (hash-based message authentication). If an attacker supplies just a username (e.g., crushadmin), the server sees the user exists and starts authenticating *without* the real password.

If the attacker sends a broken or incomplete AWS4-HMAC header (omitting the "SignedHeaders" part), the server gets confused, throws an error, and skips the authorization cleanup—leaving the session authenticated as the targeted user!

Attacker sends a specially crafted HTTP(S) request to the vulnerable CrushFTP server.

2. The request includes only a known/guessable username and a slash in the Authorization header (for example, crushadmin/), and *omits* important header fields (e.g., “SignedHeaders”).
3. The server verifies the username exists by calling login_user_pass() without checking the password.
4. Authentication succeeds because of the missing SignedHeaders value and mishandling of the HMAC process.

Here’s a simple Python (requests) demo for educational use *only*

import requests

# Target the CrushFTP admin interface
TARGET_URL = "https://victim-crushftp:808/";

# Replace 'crushadmin' with any valid username
headers = {
    "Authorization": "AWS4-HMAC-SHA256 Credential=crushadmin/"  # <trailing slash triggers bug>
    # Note: critical 'SignedHeaders' intentionally omitted
}

response = requests.get(TARGET_URL, headers=headers, verify=False)
print("HTTP Status:", response.status_code)
print("Response Text:", response.text)

WARNING: Running this code on servers you don't own is illegal and unethical.

How Is This Used in Real Attacks?

- Stealing sensitive files/data

Compromising downstream clients

Worse: This works over *HTTP or HTTPS*, so anyone with internet access can use it if your server's port is open and not behind a DMZ proxy.

Mitigation and Recommendations

- Upgrade immediately: CrushFTP 10 users should upgrade to 10.8.4 or above, and version 11 users to 11.3.1 or higher.
- Restrict HTTP/HTTPS ports with firewall rules or VPN.

Original References and Further Reading

- CrushFTP Official Advisory & Patch Notes
- Rapid7 Analysis & Technical Writeup
- US Cybersecurity & Infrastructure Agency Alert (CISA)
- The Zero-Day Vulnerability That Let Hackers Take Over File Servers

Simple Takeaway

If you’re running CrushFTP and haven’t upgraded since April 2025, your server can be taken over in seconds. Don’t wait. Patch now!


Stay safe. Keep software up to date. And never trust an Authorization header you didn’t double-check.

Timeline

Published on: 04/03/2025 20:15:25 UTC
Last modified on: 04/08/2025 15:30:22 UTC