CyberSecurity news
FlagThis - #crushftp
|
Pierluigi Paganini@securityaffairs.com
//
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-31161, a critical authentication bypass vulnerability in CrushFTP, to its Known Exploited Vulnerabilities (KEV) catalog. This decision follows confirmed active exploitation of the vulnerability in the wild, targeting multiple sectors including retail, marketing, and semiconductor industries. The flaw, present in versions 10.0.0 through 10.8.3 and 11.0.0 through 11.3.0, allows unauthenticated remote attackers to potentially take over susceptible instances of CrushFTP file transfer software if exposed publicly over HTTP(S).
The vulnerability stems from a weakness in the HTTP authorization header, enabling attackers to authenticate to any known or guessable user account, such as "crushadmin," potentially leading to a full system compromise. CrushFTP released fixes for the issue in versions 10.8.4 and 11.3.1, urging customers to update their systems immediately. Initial disclosure of the vulnerability has been controversial, with accusations of premature disclosure and attempts to conceal the issue to allow time for patching. Despite the controversy, the inclusion of CVE-2025-31161 in the KEV catalog signifies its high risk and the need for immediate action. SecurityWeek reports that the ongoing exploitation of the vulnerability has seen attackers deploying tools like MeshAgent for remote monitoring and DLL files indicative of Telegram bot utilization for data exfiltration. In some instances, AnyDesk has been installed prior to the deployment of SAM and System registry hives for credential compromise. FortiGuard Labs has also observed in-the-wild attack attempts targeting CVE-2025-31161. Although Shadowserver Foundation reports a decline in attacks since patches were issued on March 21, 2025, the CISA's warning and inclusion in the KEV catalog emphasize the persistent threat and the critical need for organizations to apply the necessary updates.
Share:
References :
Classification:
Rescana@Rescana
//
CISA has issued an urgent warning regarding a critical authentication bypass vulnerability, CVE-2025-31161, in CrushFTP, a widely-used file transfer server solution. The agency has added this vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, signaling that it is actively being exploited in the wild. This flaw allows attackers to bypass authentication mechanisms and potentially gain unauthorized administrative access to vulnerable CrushFTP servers, posing significant risks to both government agencies and private organizations. Federal cybersecurity officials are urging immediate action to mitigate the threat.
The vulnerability, which affects CrushFTP server versions before 10.8.4 and 11.3.1, stems from improper validation of authentication tokens in the CrushFTP login process. An attacker can manipulate HTTP request parameters to gain unauthorized administrative access. CISA’s advisory highlights that exploitation could lead to a full system compromise. Under Binding Operational Directive (BOD) 22-01, Federal Civilian Executive Branch (FCEB) agencies are mandated to remediate this vulnerability by April 28, 2025, emphasizing the severity of the risk. CISA strongly encourages all organizations, including private sector entities and state governments, to prioritize patching CVE-2025-31161 and adopt similar vulnerability management strategies. To mitigate the risk, organizations using CrushFTP should immediately apply available patches or updates issued by the software's developers. Additionally, reviewing system logs for any unusual activity is advised. The Cybersecurity and Infrastructure Security Agency emphasizes that this authentication bypass vulnerability represents a severe security risk, potentially allowing complete compromise of affected CrushFTP servers, and has observed sophisticated threat actors actively exploiting it to establish persistent access to critical systems.
Share:
References :
Classification:
Rescana@Rescana
//
A critical authentication bypass vulnerability, CVE-2025-31161 (previously tracked as CVE-2025-2825), has been identified in CrushFTP, a multi-protocol file transfer server. The vulnerability, which exists in versions 10.0.0 through 10.8.3 and 11.0.0 through 11.3.0, allows attackers to bypass authentication mechanisms, potentially gaining unauthorized access to sensitive data and system resources. CrushFTP privately alerted customers to the issue on March 21, 2025, urging them to apply available patches immediately. BleepingComputer reports that over 1,500 instances remain exposed.
Intrusions exploiting the CVE-2025-2825 vulnerability are already underway, following the emergence of a proof-of-concept exploit. Attackers can gain complete access to affected servers, manipulate files, upload malicious content, and even create admin-level user accounts. Indicators of Compromise include unauthorized access logs, unexpected modifications to user accounts, and unusual file uploads. As a mitigation strategy, CrushFTP recommended activating the demilitarized zone perimeter network option for those unable to promptly update their software.
Share:
References :
Classification:
|