[CIVN-2025-0253] Authentication Bypass Vulnerability in CrushFTP

By Published On: October 9, 2025

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA256
Authentication Bypass Vulnerability in CrushFTP 
Indian – Computer Emergency Response Team (https://www.cert-in.org.in)
Severity Rating: CRITICAL
Software Affected
CrushFTP version 10 prior to 10.8.4
CrushFTP version 11 prior to 11.3.1
Overview
A vulnerability has been reported in CrushFTP that could allow a remote attacker to bypass authentication and gain unauthorised access on the targeted system.
Target Audience:
All organisations and individuals are using vulnerable versions of CrushFTP.
Risk Assessment:
High risk of unauthorised access and potential information disclosure.
Impact Assessment:
Potential for system compromise.
Description
CrushFTP is a server application used for secure file transfer over multiple protocols such as FTP, SFTP, and HTTPS.
The vulnerability exists due to a race condition in the AWS4-HMAC authorisation method within the HTTP component. A remote attacker can exploit this flaw by sending specially crafted HTTP POST requests to the /WebInterface/function/ endpoint.
Successful exploitation of this vulnerability could enable a remote attacker to bypass authentication and gain unauthorised access to the targeted system.
Note: This vulnerability( CVE-2025-31161) is being exploited in the wild.
Solution
Apply appropriate updates as provided by vendor:
https://www.crushftp.com/crush11wiki/Wiki.jsp?page=Update
Vendor Information
 
https://www.crushftp.com/crush11wiki/Wiki.jsp?page=Update
References
NIST
https://nvd.nist.gov/vuln/detail/CVE-2025-31161
CENSYS
https://censys.com/advisory/cve-2025-31161
CVE Name
CVE-2025-31161
– —
Thanks and Regards,
CERT-In
Incident Response Help Desk
e-mail: incident@cert-in.org.in
Phone: +91-11-22902657
Toll Free Number: 1800-11-4949
Toll Free Fax : 1800-11-6969
Web: http://www.cert-in.org.in
PGP Fingerprint: A768 083E 4475 5725 B81A A379 2156 C0C0 B620 D0B4
PGP Key information:
https://www.cert-in.org.in/s2cMainServlet?pageid=CONTACTUS
Postal address:
Indian Computer Emergency Response Team (CERT-In)
Ministry of Electronics and Information Technology
Government of India
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003
—–BEGIN PGP SIGNATURE—–
iQIzBAEBCAAdFiEE6r4Iam/Ey0c/KakL3jCgcSdcys8FAmjnu44ACgkQ3jCgcSdc
ys+v8Q/+JT1ZtXdy4vspdNQuBYrPl/wuCqIBGGKSYr16YkCYvtOebuyp9iZJfCXo
EpK0wjCOHNN+fEVCG+GjsDMA7lTcfEqmsTQUvfO/VheyQlwe6GfJGuItozFfJOAt
unqpCWWOGvTs6+WQ72Z8z5T+FItlaZcJWkveBqRlJP5cayGJgpHHaNZAyEBsdWwY
fW9SWh3MzxtPATIUfNjiskKoFtlT6ux3oXM5MIhexNFu+5LKmtKZJf5CXlP/1+2H
8nXMgGGvT+4Cxr5RFkrfJ9E8ibKCpVTow62oZk9tHJQPisgjjJWqQ3XuXNCeXbbe
E+KkIbemYLQzK+0EtMoyDnkBgc8NYQb0fSxc4EsIsHCjDDlvCgHgqJi8RvijWfRe
UiHBMcaSmpaPS8LPvrgXlUZLwUy1nh9X7DFwMHTOidqMZdR5Z4VGR7NgiGYwt9r9
l21v0lpkJJLffvkC5VspMahYJxjQ2IwC8r4ka9n7hGo1EDVSsie/L1sP6i05hnZQ
LQIdLOq1b+SncHjBV6BJ4QzxOI0ex6Q8iEHObyU/4HHCOp7q1IrpSz6KaJkHTRpR
ec1pEajk6KqsJ9ljKfiuN2KuspZIkMCnD7l7+WiI9TkFY2UAeA5tGiNoUNcb7W2b
5Kx97qNuUSd3Kc2gXaynORFGnjlrZ3YCKTya7SLLSvmq2b9PlZM=
=7k53
—–END PGP SIGNATURE—–

Share this article