CrushFTP Authentication Bypass

Published on 08-Apr-2025
Updated:
30-Apr-2025
Status:
 
Active
CVEs:
CVE-2025-31161

Fortra is actively researching a critical authentication bypass vulnerability CVE-2025-31161 that allows attackers to bypass authentication and takeover of the CrushFTP admin account on the file transfer server through an exposed HTTP(S) port. The vulnerability can be exploited remotely.

Who is affected?

The following platforms are impacted by this vulnerability:

  • CrushFTP 10 versions before 10.8.4
  • CrushFTP 11 versions before 11.3.1

Note: If the DMZ function of CrushFTP is enabled and properly configured, then you are not vulnerable.

What can I do?

Customers are advised to update to the following versions:

  • Update CrushFTP 10 to version 10.8.4 or higher
  • Update CrushFTP 11 to version 11.3.1 or higher

Note: If the DMZ function of CrushFTP is enabled and properly configured, then you are not vulnerable.

How is Fortra helping me?

Fortra is actively researching this threat to build detection capabilities.

  • IDS: Deployed IDS signature for capturing potential authentication bypass attempts in CrushFTP when using an S3 authorization context. This includes detecting scenarios where a user lookup function during authentication may bypass password checks.
  • Log Detection: Deployed log detection telemetry to collect data on any usage of the default 'crushadmin' administrator account.
  • Fusion VM: On April 10, 2025, a new network check was added to the Fusion VM scanner to help in identifying potentially affected environments.
  • IP360: Tripwire released scan coverage on April 23, 2025, to identify vulnerable instances. If the vulnerabilities are detected, it will be flagged under Tripwire vulnerability ID 718595, associated with CVE-2025-31161.

Updates

Fortra has kicked off the Emerging Threats process for this vulnerability. This article will be updated with new information about this vulnerability and related security coverage as it becomes available.

  • 04/08/2025: Deployed IDS signature for potential authentication bypass attempts in CrushFTP.
  • 04/08/2025: Deployed log telemetry for monitoring the default ‘crushadmin’ administrator account usage.
  • 04/10/2025: Network check added to Fusion VM.
  • 04/23/2025: Tripwire scan coverage released for CVE-2025-31161 (Vuln ID: 718595).
Recent Emerging Threats
:
Unauthenticated File Upload in SAP NetWeaver
:
Multiple Vulnerabilities Impacting VMware ESXi, Workstation, and Fusion Updates
:
Multiple Vulnerabilities Impacting rsync
:
Multiple Vulnerabilities Impacting ingress-nginx Controller for Kubernetes
:
FortiOS & FortiProxy: Authentication Bypass in Node.js Websocket Module
Security Alerts in Your Inbox. We will watch for emerging threats; you can watch for our email.