CISA Warns of CrushFTP Vulnerability Exploitation in the Wild - Conflicting Disclosure

Summary:

CISA has added CVE-2025-31161 to their known exploited vulnerability (KEV) database. CrushFTP contains an authentication bypass vulnerability in the HTTP authorization header that allows a remote unauthenticated attacker to authenticate to any known or guessable user account (e.g., crushadmin), potentially leading to a full compromise.

This addition comes on the heels of a controversial disclosure of the vulnerability by two different entities.

Security Officer Comments:

We have been warning about this vulnerability since last week. Ransomware groups like CL0P have historically targeted similar vulnerabilities in the past to steal sensitive data from victims. The dangers of this vulnerability were compounded when Outpost24 responsibly disclosed the vulnerability as CVE-2025-31161, and VulnCheck independently posted their own CVE-2025-2825, which included a working proof-of-concept. This conflicting disclosure created confusion for users, and will likely accelerate exploitation.

VulnCheck’s uncoordinated disclosure enabled threat actors to weaponize the flaw weeks before the embargo ended, leading to widespread attacks. Shadowserver observed exploitation within 48 hours of the PoC release.

Timeline of Events:

  • March 21, 2025:
    • Outpost24 discovers the flaw and coordinates with MITRE and CrushFTP under a 90-day embargo (CVE-2025-31161).
    • CrushFTP releases patches (v10.8.4, v11.3.1) but withholds technical details.
  • March 26, 2025:
    • VulnCheck independently assigns CVE-2025-2825 without coordination, publishing a PoC exploit.
  • March 28, 2025:
    • Shadowserver Foundation reports 1,512 unpatched instances under attack via CVE-2025-2825.
  • April 3, 2025:
    • MITRE rejects CVE-2025-2825, finalizing CVE-2025-31161 as the official identifier.


Suggested Corrections:

  • Patch Immediately:
    • Upgrade to CrushFTP versions 10.8.4 or 11.3.1 to address the vulnerability.
  • Temporary Workaround:
    • Enable DMZ perimeter network settings if patching is not immediately feasible.
  • Monitor Systems:
    • Look for signs of unauthorized access or unusual HTTP requests.


Link(s):
https://www.cisa.gov/known-exploited-vulnerabilities-catalog

Contact Us for Threat Assistance Back to Current Threats

Just Starting?



Contact LACyber for More Info



Current Active Cyber Threats