A recently disclosed critical security flaw impacting CrushFTP has been added by the US Cybersecurity & Infrastructure Security Agency (CISA) to its Known Exploited Vulnerabilities (KEV) catalogue after reports emerged of active exploitation in the wild.
The vulnerability is a case of authentication bypass that could permit an unauthenticated attacker to take over susceptible instances. It has been fixed in versions 10.8.4 & 11.3.1.
Authentication Bypass
“CrushFTP contains an authentication bypass vulnerability in the HTTP authorisation header that allows a remote unauthenticated attacker to authenticate to any known or guessable user account (e.g., crushadmin), potentially leading to a full compromise,” CISA said in an advisory.
The issue has been assigned the CVE identifier CVE-2025-31161 (CVSS score: 9.8). Note that the same vulnerability was previously tracked as CVE-2025-2825, which has now been marked ‘Rejected’ in the CVE list.
Disclosure Process
This comes after the disclosure process associated with the flaw has been subject to controversy & confusion, with VulnCheck – due to it being a CVE Numbering Authority (CNA) – assigned an identifier (i.e., CVE-2025-2825), while the actual CVE (i.e., CVE-2025-31161) had been pending.
Outpost24, which is credited with responsibly disclosing the flaw to the vendor, has stepped in to clarify that it requested a CVE number from MITRE on March 13, 2025, & that it was co-ordinating with CrushFTP to ensure that the fixes were rolled out within a 90-day disclosure period.
However, it was not until March 27 that MITRE assigned the flaw the CVE CVE-2025-31161, by which time VulnCheck had released a CVE of its own without contacting “CrushFTP or Outpost24 beforehand to see if a responsible disclosure process was already underway.”
Instructions
The Swedish cybersecurity company has since released step-by-step instructions to trigger the exploit without sharing much of the technical specifics –
- Generate a random alphanumeric session token of a minimum 31 characters of length.
- Set a cookie called CrushAuth to the value generated in step 1.
