Critical CrushFTP Vulnerability (CVE-2025-31161) Exploited, Added to CISA KEV Catalog
Do Son 
A critical vulnerability in the CrushFTP product, actively exploited by malicious actors, has now been added to the Known Exploited Vulnerabilities (KEV) catalog maintained by the U.S. Cybersecurity and Infrastructure Security Agency (CISA). The flaw, which allows attackers to bypass authentication mechanisms, grants unauthorized users complete control over vulnerable instances without the need for a username or password.
Identified as CVE-2025-31161, the vulnerability has been assigned the highest CVSS score of 9.8. It affects the HTTP authorization mechanism and enables remote attackers to impersonate any existing user—such as “crushadmin”—and gain access to the system under that identity. Fixes have been released in versions 10.8.4 and 11.3.1.
The situation is further complicated not only by its technical nature but also by a convoluted disclosure timeline. Because VulnCheck is an authorized CVE Numbering Authority (CNA), it initially assigned the vulnerability the identifier CVE-2025-2825. However, MITRE later issued the final designation—CVE-2025-31161—on March 27, rendering the earlier CVE invalid. This discrepancy triggered a dispute involving VulnCheck, MITRE, and the CrushFTP development team.
According to Outpost24, the firm that originally discovered the issue, a CVE request was submitted to MITRE on March 13. The vendor began preparing patches under the standard 90-day responsible disclosure window. However, VulnCheck, without waiting for the completion of the process, independently published details of the flaw—without notifying either CrushFTP or Outpost24.
VulnCheck later accused the developers of attempting to suppress information about the flaw, citing their request to delay disclosure for 90 days. Conversely, MITRE was criticized for delaying the official acknowledgment despite the vulnerability being actively exploited in the wild.
Meanwhile, exploitation instructions have surfaced online. These include techniques such as generating a crafted session and manipulating authorization headers to log in as any known user. While the full technical details have not been disclosed, researchers have published the exploit’s core mechanics.
Huntress, which successfully reproduced the proof-of-concept, reported evidence of active exploitation beginning April 3, with some indications that attacks may have commenced as early as March 30. To date, at least four compromised hosts have been identified—belonging to organizations in marketing, retail, and semiconductor manufacturing. Three of these companies were serviced by the same managed service provider (MSP).
Following initial access, attackers deployed remote access tools such as AnyDesk and MeshAgent and attempted to harvest credentials. In one case, a modified “d3d11.dll” library—linked to the TgBot project—was identified, suggesting the use of a Telegram bot to exfiltrate data from infected systems.
As of April 6, there remain 815 publicly exposed and unpatched CrushFTP instances worldwide, with 487 located in North America and 250 in Europe. Due to the ongoing threat, CISA has mandated that all U.S. federal civilian agencies apply the security updates no later than April 28.
