CrushFTP: Authentication Bypass by AWS4-HMAC Weakness (CVE-2025-31161) #shorts

Summary

Welcome to today's cybersecurity podcast, where we'll be exploring a critical vulnerability identified as CVE-2025-31161. This vulnerability affects CrushFTP, a popular FTP server software, and has been actively exploited in the wild. With implications for data security and server integrity, understanding this vulnerability is crucial for system administrators and organizations using CrushFTP.

Product details

CrushFTP is a robust file transfer server that supports multiple protocols and is used by various organizations for secure data exchanges. The affected versions are CrushFTP 10 before version 10.8.4 and CrushFTP 11 before version 11.3.1. These versions contain a flaw in their HTTP component's login_user_pass function, which is at the heart of this vulnerability.

Vulnerability type summary

The identified vulnerability is classified under CWE-305, 'Authentication Bypass by Primary Weakness'. This classification indicates that the vulnerability can potentially allow unauthorized access to systems by bypassing authentication mechanisms, leading to possible data breaches and unauthorized administrative access.

Details of the vulnerability

The vulnerability, dubbed 'Unauthenticated HTTP(S) port access', arises from a race condition in the AWS4-HMAC authorization method of CrushFTP's HTTP component. This flaw enables an authentication bypass, allowing attackers to take control of the crushadmin account without needing a password, thereby gaining administrative privileges. The issue could be manipulated further by sending malformed headers, which prevents proper session cleanup and allows persistent unauthorized access.

Conclusion

In conclusion, CVE-2025-31161 represents a significant threat to organizations using affected versions of CrushFTP. It has been exploited in the wild, prompting warnings from CISA. Organizations are advised to upgrade to the latest CrushFTP versions and implement additional security measures such as using DMZ proxies to mitigate potential risks. Continuous vigilance and timely updates remain essential in safeguarding against such vulnerabilities.

Watch the full video on YouTube: CVE-2025-31161

Remediation and exploitation details

This chain involves the following actors

This following systems are involved

Attack entry point

Remediation actions

Exploitation actions

Related Content

NOTE: The following related content has not been vetted and may be unsafe.

CVE database technical details

CVE ID
CVE-2025-31161
Description
CrushFTP 10 before 10.8.4 and 11 before 11.3.1 allows authentication bypass and takeover of the crushadmin account (unless a DMZ proxy instance is used), as exploited in the wild in March and April 2025, aka "Unauthenticated HTTP(S) port access." A race condition exists in the AWS4-HMAC (compatible with S3) authorization method of the HTTP component of the FTP server. The server first verifies the existence of the user by performing a call to login_user_pass() with no password requirement. This will authenticate the session through the HMAC verification process and up until the server checks for user verification once more. The vulnerability can be further stabilized, eliminating the need for successfully triggering a race condition, by sending a mangled AWS4-HMAC header. By providing only the username and a following slash (/), the server will successfully find a username, which triggers the successful anypass authentication process, but the server will fail to find the expected SignedHeaders entry, resulting in an index-out-of-bounds error that stops the code from reaching the session cleanup. Together, these issues make it trivial to authenticate as any known or guessable user (e.g., crushadmin), and can lead to a full compromise of the system by obtaining an administrative account.
Provider
mitre
CWE / problem types
CWE-305 Authentication Bypass by Primary Weakness
Affected Software Versions
CrushFTP:CrushFTP:[{'lessThan': '10.8.4', 'status': 'affected', 'version': '10', 'versionType': 'custom'}, {'lessThan': '11.3.1', 'status': 'affected', 'version': '11', 'versionType': 'custom'}]
Date Published
2025-04-03T00:00:00.000Z
Last Updated
2025-04-21T15:11:23.679Z