—–BEGIN PGP SIGNED MESSAGE—–

Hash: SHA256

Authentication Bypass Vulnerability in CrushFTP 

Indian – Computer Emergency Response Team (https://www.cert-in.org.in)

Severity Rating: CRITICAL

Software Affected

CrushFTP version 10 prior to 10.8.4

CrushFTP version 11 prior to 11.3.1

Overview

A vulnerability has been reported in CrushFTP that could allow a remote attacker to bypass authentication and gain unauthorised access on the targeted system.

Target Audience:

All organisations and individuals are using vulnerable versions of CrushFTP.

Risk Assessment:

High risk of unauthorised access and potential information disclosure.

Impact Assessment:

Potential for system compromise.

Description

CrushFTP is a server application used for secure file transfer over multiple protocols such as FTP, SFTP, and HTTPS.

The vulnerability exists due to a race condition in the AWS4-HMAC authorisation method within the HTTP component. A remote attacker can exploit this flaw by sending specially crafted HTTP POST requests to the /WebInterface/function/ endpoint.

Successful exploitation of this vulnerability could enable a remote attacker to bypass authentication and gain unauthorised access to the targeted system.

Note: This vulnerability( CVE-2025-31161) is being exploited in the wild.

Solution

Apply appropriate updates as provided by vendor:

https://www.crushftp.com/crush11wiki/Wiki.jsp?page=Update

Vendor Information

 

https://www.crushftp.com/crush11wiki/Wiki.jsp?page=Update

References

NIST

https://nvd.nist.gov/vuln/detail/CVE-2025-31161

CENSYS

https://censys.com/advisory/cve-2025-31161

CVE Name

CVE-2025-31161

– —

Thanks and Regards,

CERT-In

Incident Response Help Desk

e-mail: incident@cert-in.org.in

Phone: +91-11-22902657

Toll Free Number: 1800-11-4949

Toll Free Fax : 1800-11-6969

Web: http://www.cert-in.org.in

PGP Fingerprint: A768 083E 4475 5725 B81A A379 2156 C0C0 B620 D0B4

PGP Key information:

https://www.cert-in.org.in/s2cMainServlet?pageid=CONTACTUS

Postal address:

Indian Computer Emergency Response Team (CERT-In)

Ministry of Electronics and Information Technology

Government of India

Electronics Niketan

6, C.G.O. Complex

New Delhi-110 003

—–BEGIN PGP SIGNATURE—–

iQIzBAEBCAAdFiEE6r4Iam/Ey0c/KakL3jCgcSdcys8FAmjnu44ACgkQ3jCgcSdc

ys+v8Q/+JT1ZtXdy4vspdNQuBYrPl/wuCqIBGGKSYr16YkCYvtOebuyp9iZJfCXo

EpK0wjCOHNN+fEVCG+GjsDMA7lTcfEqmsTQUvfO/VheyQlwe6GfJGuItozFfJOAt

unqpCWWOGvTs6+WQ72Z8z5T+FItlaZcJWkveBqRlJP5cayGJgpHHaNZAyEBsdWwY

fW9SWh3MzxtPATIUfNjiskKoFtlT6ux3oXM5MIhexNFu+5LKmtKZJf5CXlP/1+2H

8nXMgGGvT+4Cxr5RFkrfJ9E8ibKCpVTow62oZk9tHJQPisgjjJWqQ3XuXNCeXbbe

E+KkIbemYLQzK+0EtMoyDnkBgc8NYQb0fSxc4EsIsHCjDDlvCgHgqJi8RvijWfRe

UiHBMcaSmpaPS8LPvrgXlUZLwUy1nh9X7DFwMHTOidqMZdR5Z4VGR7NgiGYwt9r9

l21v0lpkJJLffvkC5VspMahYJxjQ2IwC8r4ka9n7hGo1EDVSsie/L1sP6i05hnZQ

LQIdLOq1b+SncHjBV6BJ4QzxOI0ex6Q8iEHObyU/4HHCOp7q1IrpSz6KaJkHTRpR

ec1pEajk6KqsJ9ljKfiuN2KuspZIkMCnD7l7+WiI9TkFY2UAeA5tGiNoUNcb7W2b

5Kx97qNuUSd3Kc2gXaynORFGnjlrZ3YCKTya7SLLSvmq2b9PlZM=

=7k53

—–END PGP SIGNATURE—–