CVE-2025-31161 is a critical vulnerability in CrushFTP software that allows attackers to bypass user authentication, gaining admin-level access. Effective patches are available, and immediate updates are recommended for affected versions. This post discusses the exploitation activities and related malicious tools used in the wild. Affected: CrushFTP software, managed file transfer applications, enterprise data security
Keypoints :
- Critical severity vulnerability (CVE-2025-31161) allows authentication bypass in CrushFTP.
- Affected versions include CrushFTP 10.0.0 to 10.8.3 and 11.0.0 to 11.3.0.
- The vulnerability allows unauthorized actions, including administrative tasks and file access.
- Immediate patching is advised to the latest versions to mitigate risks.
- Evidence of exploitation observed in the wild starting March 31, 2025.
- Post-exploitation activities include deploying RMM tools like MeshCentral and AnyDesk.
- Potential backdoor accounts and remote access tools were created as a part of the attacks.
- Threat actors targeted sensitive enterprise data, indicating a concerning trend.
MITRE Techniques :
- T1078.001 – Valid Accounts: Adversaries exploit valid accounts to gain unauthorized access (exploiting admin accounts via authentication bypass).
- T1071.001 – Application Layer Protocol: Usage of HTTP requests to manipulate CrushFTP services.
- T1059.001 – Command and Scripting Interpreter: Commands executed through command line to install backdoor software.
- T1105 – Ingress Tool Transfer: Transfer and installation of malicious tools (e.g., AnyDesk, MeshAgent) to maintain authoritative control.
Indicator of Compromise :
- IP Address: 172.235.144[.]67
- IP Address: 2.58.56[.]16
- Backdoor Account Name: Eaion6Mz
- File: C:WindowsTempd3d11.dll
- File: C:WindowsTempmesch.exe
Full Story: https://www.huntress.com/blog/crushftp-cve-2025-31161-auth-bypass-and-post-exploitation
Views: 4