What is CVE-2025-31161?

CrushFTP is widely used by businesses to transfer files securely. CVE-2025-31161 is a critical flaw that impacts CrushFTP versions 10 (up to 10.8.3) and 11 (up to 11.3.0). 

The flaw is a type of authentication bypass, meaning attackers can skip the login process altogether. It’s easy for attackers to exploit remotely, requires no special access or user interaction, and can lead to the complete loss of data privacy, integrity, and system availability.

It has a severity rating of 9.8 (“Critical”) in the Common Vulnerability Scoring System (CVSS). 

Initial confusion caused this vulnerability to be briefly identified as CVE-2025-2825, but the official and correct designation is CVE-2025-31161.

How does this attack work?

The problem lies in how CrushFTP handles certain security checks for incoming web requests. Essentially, there’s a small window during the login process where an attacker can trick the system.

Here’s a quick explanation of how it works.

1. A flaw in the security check
   CrushFTP has a specific part of its code that checks for secure login information. However, there’s a subtle error where an internal setting is accidentally set to “true” by default.
   
   

2. Bypassing the password
   If the username in the attacker’s fake login information doesn’t contain a specific character (the tilde ‘~’), this “true” setting tells the system to skip the password check entirely. This means an attacker can log in as a legitimate user without knowing their password.
   
   

3. Crafting a malicious request
   Attackers send a custom web request to the CrushFTP server, which includes fake security information and a specific cookie. By combining these elements, the attacker can trigger the vulnerability and gain unauthorized administrative access.

Is your software vulnerable?

Evidence of active exploitation

Active exploitation was reported shortly after the patches were released, with security firms observing widespread attacks as early as March 30-31, 2025. 

Initially, over 1,500 vulnerable CrushFTP instances were exposed online, with significant numbers in the United States. In the following weeks, hundreds of organizations remained unpatched.

Upon successful entry, attackers often establish persistent access. This is done by creating new administrator accounts or deploying Remote Monitoring and Management (RMM) tools, such as MeshAgent or MeshCentral, and AnyDesk. 

Attackers also deploy Telegram bot binaries to steal system information and sensitive data. The “Kill Security” (or “Kill”) ransomware group has publicly claimed responsibility for some early exploitation efforts, announcing that they’ve obtained “significant volumes of sensitive data” and intend to extort victims. 

It highlights a trend where Managed File Transfer (MFT) solutions are increasingly targeted by ransomware and data extortion groups for their high-value data. 

The impact of a successful attack

A successful exploit grants attackers unauthenticated administrative access, which has severe consequences:

• Full system compromise: Attackers can gain complete control over the CrushFTP application and the server it runs on.
• Data exfiltration: They can access and steal any sensitive data stored on the platform or accessible through it.
• Data integrity and ransomware: Attackers can modify, delete, or encrypt files, potentially deploying ransomware to disrupt operations and demand payments.
• Legal and regulatory implications: Organizations may face significant fines, reputational damage, and legal liabilities if personal data is compromised, with strict notification deadlines (e.g. 72 hours under GDPR).

How to protect your organization

The attack’s multi-layered approach combines technical exploitation with advanced social engineering to bypass security controls and user vigilance. It’s essential to take the following steps to protect your organization.

1. Apply updates immediately

• UPDATE NOW: Immediately update all CrushFTP installations to version 10.8.4 or later or 11.3.1 or later. Only obtain updates from the official CrushFTP website.
• Deploy patches: CrushFTP doesn’t have automatic updates, so enterprises need to apply proactive, centralized patching.
• Verify updates: Ensure updates are successfully applied across your environment.
  
  

2. Be proactive with security measures and hardening

• Enforce strong passwords: Mandate strong, unique passwords for all CrushFTP accounts, especially administrators.
• Monitor logs comprehensively: Actively monitor CrushFTP server logs (especially \logs\session_logs) for suspicious activity, like new accounts, unusual access, or RMM tool deployments.
• Layer your security: Employ strong email and web filtering, advanced endpoint detection and response (EDR), and network segmentation.
• Restrict network access: Limit CrushFTP access to only trusted clients and IP ranges.
  
  

3. Assess and remediate compromise
   Applying the patch alone will not remove any existing access gained by attackers who exploited the vulnerability before the software update. Given active exploitation has been confirmed, you should assume potential prior compromise and take the following steps: 

• • Assess for unauthorized access: If you were running a vulnerable version, conduct a thorough assessment immediately for signs of compromise going back to at least March 30, 2025.
  • Conduct forensic analysis: Examine server logs for new user accounts, modified user properties, or deployed RMM tools and malware.
  • Remediate existing compromises: Remove unauthorized accounts, change all legitimate CrushFTP passwords, and remove any deployed malware. If necessary, restore systems from clean, verified backups.
  • Address legal obligations: If a data breach is confirmed, promptly fulfill data protection (e.g. GDPR) and industry-specific regulatory obligations, including potential notifications.

This vulnerability highlights the need to continuously monitor systems, stay informed about threats, and adopt a layered security approach to protect critical infrastructure.

Conclusion

The critical CrushFTP vulnerability puts a spotlight on the fast-paced world of cyber threats.

In addition to patching and implementing security processes, it’s vital to run organizational exercises. Regularly practicing incident response through drills and simulations helps your team reinforce existing policies and processes. 

This preparation allows them to respond effectively when similar vulnerabilities emerge, reducing potential harm and protecting sensitive data.

Share your thoughts

Has your business been affected by the CVE-2025-31161 flaw or something similar? How do you stay up to date with the latest cyber threats and keep your team alert to risks? Let us know in the comments below.