CVE-2025-31161

CRITICAL KEV RANSOMWARE NUCLEI

CrushFTP - Authentication Bypass

Title source: nuclei
STIX 2.1

Exploitation Summary

CVE-2025-31161 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added April 7, 2025, with confirmed use in ransomware campaigns. EIP tracks 24 public exploits from researchers including İbrahimsql, Immersive-Labs-Sec, iSee857. A Nuclei detection template is also available.

AI-analyzed exploit summary This exploit leverages a race condition and header parsing flaw in CrushFTP's AWS4-HMAC authorization mechanism to bypass authentication and achieve admin access. It includes functionality for target management, vulnerability scanning, and exploitation.

Description

CrushFTP 10 before 10.8.4 and 11 before 11.3.1 allows authentication bypass and takeover of the crushadmin account (unless a DMZ proxy instance is used), as exploited in the wild in March and April 2025, aka "Unauthenticated HTTP(S) port access." A race condition exists in the AWS4-HMAC (compatible with S3) authorization method of the HTTP component of the FTP server. The server first verifies the existence of the user by performing a call to login_user_pass() with no password requirement. This will authenticate the session through the HMAC verification process and up until the server checks for user verification once more. The vulnerability can be further stabilized, eliminating the need for successfully triggering a race condition, by sending a mangled AWS4-HMAC header. By providing only the username and a following slash (/), the server will successfully find a username, which triggers the successful anypass authentication process, but the server will fail to find the expected SignedHeaders entry, resulting in an index-out-of-bounds error that stops the code from reaching the session cleanup. Together, these issues make it trivial to authenticate as any known or guessable user (e.g., crushadmin), and can lead to a full compromise of the system by obtaining an administrative account.

Exploits (24)

exploitdb WORKING POC
by İbrahimsql · pythonremotemultiple
https://www.exploit-db.com/exploits/52295

This exploit leverages a race condition and header parsing flaw in CrushFTP's AWS4-HMAC authorization mechanism to bypass authentication and achieve admin access. It includes functionality for target management, vulnerability scanning, and exploitation.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Racy
Target: CrushFTP < 10.8.4, < 11.3.1
No auth needed
Prerequisites: known username (e.g., crushadmin) · network access to CrushFTP HTTP(S) port
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 49 stars
by Immersive-Labs-Sec · remote
https://github.com/Immersive-Labs-Sec/CVE-2025-31161

This PoC exploits an authentication bypass vulnerability (CVE-2025-31161) in CrushFTP to create a new admin-level user account. It sends crafted HTTP requests with specific headers and payloads to bypass authentication and create the user.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: CrushFTP (version not specified)
No auth needed
Prerequisites: knowledge of an existing username on the target CrushFTP server
devstral-2 · analyzed Feb 16, 2026 Full analysis →
github WORKING POC 40 stars
by iSee857 · pythonpoc
https://github.com/iSee857/CVE-PoC/tree/main/CrushFtp-CVE-2025-31161-AuthenticationBypass-poc.py

The repository contains a functional exploit PoC for CVE-2025-31161, targeting CrushFTP with an authentication bypass vulnerability. The script demonstrates command execution via session manipulation and shell command injection.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: CrushFTP
No auth needed
Prerequisites: network access to target · CrushFTP service running
devstral-2 · analyzed Feb 27, 2026 Full analysis →
github WORKING POC 12 stars
by ghostsec420 · pythonremote
https://github.com/ghostsec420/ShatteredFTP

This Python script exploits CVE-2025-31161 (and CVE-2025-2825) in CrushFTP by sending crafted XML payloads to create a new user with elevated privileges via an authentication bypass. It supports both single-target and mass exploitation with threading.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: CrushFTP (version not specified)
No auth needed
Prerequisites: Network access to CrushFTP WebInterface · CrushFTP vulnerable version
devstral-2 · analyzed Feb 19, 2026 Full analysis →
nomisec WORKING POC 5 stars
by 0xgh057r3c0n · remote
https://github.com/0xgh057r3c0n/CVE-2025-31161

This Python exploit targets CVE-2025-31161, an authentication bypass vulnerability in CrushFTP that allows unauthenticated user account creation via crafted XML payloads sent to the WebInterface. The PoC sends a POST request with a malicious XML payload to create a new user account.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Trivial
Reliability
Reliable
Target: CrushFTP (version not specified)
No auth needed
Prerequisites: Network access to the CrushFTP WebInterface · CrushFTP server vulnerable to CVE-2025-31161
devstral-2 · analyzed Feb 16, 2026 Full analysis →
github WORKING POC 2 stars
by adminlove520 · pythonpoc
https://github.com/adminlove520/CVE-Poc_All_in_One/tree/main/2025/CVE-2025-31161

The repository contains functional exploit code for multiple CVEs, including authentication bypass vulnerabilities in TOTOLINK devices and a scanner for Fortinet SSL VPN (CVE-2024-21762). The PoCs demonstrate the vulnerabilities with clear technical details and HTTP request formats.

Classification
Working Poc 90%
Attack Type
Auth Bypass
Complexity
Trivial
Reliability
Reliable
Target: TOTOLINK LR350 (V9.3.5u.6369_B20220309), TOTOLINK T6 (V4.1.5cu.748_B20211015), Fortinet SSL VPN
No auth needed
Prerequisites: network access to the target device
devstral-2 · analyzed Feb 27, 2026 Full analysis →
github WORKING POC 2 stars
by cesarbtakeda · cpoc
https://github.com/cesarbtakeda/CVE-2025-31161

The repository contains functional exploit code for CVE-2025-31161, demonstrating an authentication bypass vulnerability. The exploit creates a new user with arbitrary credentials by sending crafted XML payloads to the target server.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: Unknown (likely a web interface with user management functionality)
No auth needed
Prerequisites: Target server running vulnerable software · Network access to the target
devstral-2 · analyzed Feb 19, 2026 Full analysis →
nomisec WORKING POC 2 stars
by f4dee-backup · remote
https://github.com/f4dee-backup/CVE-2025-31161

This exploit automates the creation of an admin user in CrushFTP by forging a valid CrushAuth token, leveraging an authentication bypass vulnerability (CVE-2025-31161). It crafts a dynamic token and sends a malicious XML payload to create a privileged user.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: CrushFTP (version not specified)
No auth needed
Prerequisites: curl · shuf · network access to target CrushFTP instance
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 2 stars
by ibrahmsql · remote
https://github.com/ibrahmsql/CVE-2025-31161

This is a Python-based exploit for CVE-2025-31161, targeting CrushFTP versions before 10.8.4 and 11.3.1. It exploits an authentication bypass via a race condition and header parsing flaw in the AWS4-HMAC mechanism, allowing unauthenticated access and potential admin takeover.

Classification
Working Poc 90%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Racy
Target: CrushFTP < 10.8.4, < 11.3.1
No auth needed
Prerequisites: Network access to the target CrushFTP server · Known username (e.g., 'crushadmin')
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 2 stars
by TX-One · remote
https://github.com/TX-One/CVE-2025-31161

This repository contains a Python-based exploit tool for CVE-2025-31161, an authentication bypass vulnerability in CrushFTP versions 9.3.8 through 9.3.12.5. The tool automates version detection, credential testing, and exploitation via manipulated HTTP Authorization headers (Bearer/Basic Auth).

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: CrushFTP 9.3.8 to 9.3.12.5
No auth needed
Prerequisites: Python 3.8+ · requests library · colorama library · urllib3 library · target URL · username list
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 1 stars
by Dairrow · remote
https://github.com/Dairrow/CVE-2025-31161

This PoC exploits CVE-2025-31161 in CrushFTP by creating an admin user, enabling a plugin for command execution, and restarting the server to achieve remote code execution (RCE). The exploit leverages authentication bypass and plugin manipulation to execute arbitrary commands.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: CrushFTP versions 10.0.0 through 10.8.3 and 11.0.0 through 11.3.0
No auth needed
Prerequisites: Network access to the CrushFTP server · Known username for impersonation
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 1 stars
by ch3m1cl · poc
https://github.com/ch3m1cl/CVE-2025-31161

This Python script exploits CVE-2025-31161 in CrushFTP to list existing users and create a new malicious user with elevated permissions. It uses crafted HTTP requests with specific headers and XML payloads to interact with the vulnerable service.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: CrushFTP (version not specified)
No auth needed
Prerequisites: Network access to the CrushFTP service · Python 3.10+ with requests module
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec SCANNER 1 stars
by SUPRAAA-1337 · remote
https://github.com/SUPRAAA-1337/Nuclei_CVE-2025-31161_CVE-2025-2825

This Nuclei template detects the CrushFTP authentication bypass vulnerability (CVE-2025-2825) by sending crafted HTTP requests with manipulated cookies and headers to check for unauthorized access to user lists.

Classification
Scanner 95%
Attack Type
Auth Bypass
Complexity
Trivial
Reliability
Reliable
Target: CrushFTP versions 10.0.0 through 10.8.3 and 11.0.0 through 11.3.0
No auth needed
Prerequisites: Network access to the CrushFTP WebInterface
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WRITEUP
by 0xBlackash · poc
https://github.com/0xBlackash/CVE-2025-31161

This repository provides a detailed technical analysis of CVE-2025-31161, an authentication bypass vulnerability in CrushFTP. It includes root cause analysis, mitigation steps, and references to official sources.

Classification
Writeup 95%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: CrushFTP 10.0.0–10.8.3, 11.0.0–11.3.0
No auth needed
Prerequisites: known username (e.g., crushadmin)
devstral-2 · analyzed Apr 21, 2026 Full analysis →
nomisec WORKING POC
by eserror · remote
https://github.com/eserror/CVE-2025-31161

This repository contains a functional Go exploit for CVE-2025-31161, an authentication bypass vulnerability in CrushFTP versions 10.x and 11.x. The exploit leverages malformed AWS4-HMAC-SHA256 headers and fake session cookies to bypass authentication and create a new admin user.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: CrushFTP 10.x, 11.x
No auth needed
Prerequisites: network access to CrushFTP WebInterface · knowledge of an existing user (default: crushadmin)
devstral-2 · analyzed Feb 23, 2026 Full analysis →
nomisec WORKING POC
by Shisones · poc
https://github.com/Shisones/CVE-2025-31161

This repository contains a functional exploit for CVE-2025-31161, an authentication bypass vulnerability in CrushFTP. The exploit leverages a logic error in AWS4-HMAC header parsing to trigger an IndexOutOfBounds exception, allowing session hijacking and administrative account creation.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: CrushFTP (versions < 10.8.4 and < 11.3.1)
No auth needed
Prerequisites: Python 3.x · requests library · network access to target CrushFTP instance
devstral-2 · analyzed Feb 21, 2026 Full analysis →
nomisec WORKING POC
by 0xDTC · remote
https://github.com/0xDTC/CrushFTP-auth-bypass-CVE-2025-31161

This repository contains a functional PoC for CVE-2025-31161, an authentication bypass vulnerability in CrushFTP's web interface. It includes Go and Bash implementations to detect vulnerability, enumerate users, and create unauthorized accounts via crafted HTTP requests.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: CrushFTP Web Interface
No auth needed
Prerequisites: Network access to CrushFTP web interface · Target running vulnerable CrushFTP version
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec SCANNER
by tdawg506 · poc
https://github.com/tdawg506/CVE-2025-31161

This repository contains a Python-based scanner for detecting CVE-2025-31161, an authentication bypass vulnerability in CrushFTP servers. It tests for the vulnerability by manipulating HTTP Authorization headers and provides clear output indicating whether the target is vulnerable.

Classification
Scanner 90%
Attack Type
Auth Bypass
Complexity
Trivial
Reliability
Reliable
Target: CrushFTP
No auth needed
Prerequisites: network access to the target CrushFTP server
devstral-2 · analyzed May 10, 2026 Full analysis →
nomisec SCANNER
by Teexo · poc
https://github.com/Teexo/CVE-2025-31161

This repository contains a Python-based scanner for detecting CVE-2025-31161, an authentication bypass vulnerability in CrushFTP servers. The tool tests for the vulnerability by manipulating HTTP Authorization headers and provides clear output indicating whether the target is vulnerable.

Classification
Scanner 90%
Attack Type
Auth Bypass
Complexity
Trivial
Reliability
Reliable
Target: CrushFTP (version not specified)
No auth needed
Prerequisites: Network access to the target CrushFTP server · CrushFTP server with vulnerable endpoint exposed
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WRITEUP
by acan0007 · poc
https://github.com/acan0007/CVE-2025-31161

The repository contains only a README.md file describing CVE-2025-31161 as an authentication bypass vulnerability in CrushFTP server. No exploit code or technical details are provided.

Classification
Writeup 30%
Attack Type
Auth Bypass
Complexity
Theoretical
Reliability
Theoretical
Target: CrushFTP server (version not specified)
No auth needed
Prerequisites: none specified
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by r0otk3r · remote
https://github.com/r0otk3r/CVE-2025-31161

This Python script exploits CVE-2025-31161, an authentication bypass vulnerability in CrushFTP, by manipulating CrushAuth and AWS4-HMAC-SHA256 headers to retrieve user lists from the getUserList API endpoint.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Trivial
Reliability
Reliable
Target: CrushFTP (version not specified)
No auth needed
Prerequisites: Network access to the CrushFTP WebInterface
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by Drelinss · poc
https://github.com/Drelinss/Blackash-CVE-2025-31161

This PoC exploits CVE-2025-31161, an authentication bypass vulnerability in CrushFTP, to create a new admin-level user account. It sends crafted HTTP requests with specific headers and XML payloads to bypass authentication and create the user.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: CrushFTP
No auth needed
Prerequisites: Knowledge of an existing user on the CrushFTP server · Network access to the target CrushFTP server
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec SCANNER
by SUPRAAA-1337 · remote
https://github.com/SUPRAAA-1337/CVE-2025-31161_exploit

This script scans for the presence of the string 'crushadmin' in HTTP responses from a target URL or list of URLs, indicating potential exposure of CVE-2025-31161. It uses multi-threading to check multiple targets efficiently.

Classification
Scanner 90%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: Unknown (likely a web application with a specific endpoint)
Auth required
Prerequisites: Target URL(s) with a vulnerable endpoint · Network access to the target
devstral-2 · analyzed Feb 16, 2026 Full analysis →
vulncheck_xdb WORKING POC
remote
https://github.com/ch3m1calspain/CVE-2025-31161

This repository contains a functional Python script that exploits CVE-2025-31161 in CrushFTP to list existing users and create a malicious user with elevated permissions. The exploit leverages improper authentication handling in the CrushFTP WebInterface.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: CrushFTP (version not specified)
No auth needed
Prerequisites: network access to CrushFTP WebInterface · Python 3.10+ · requests library
devstral-2 · analyzed Feb 25, 2026 Full analysis →

Nuclei Templates (1)

CrushFTP - Authentication Bypass
CRITICALby parthmalhotra,Ice3man,DhiyaneshDk,pdresearch,whattheslime
Shodan: http.title:"CrushFTP WebInterface" || http.favicon.hash:-1022206565 || http.html:"crushftp"
FOFA: icon_hash="-1022206565" || title="CrushFTP WebInterface" || body="crushftp"

References (10)

Core 10
Core References

Scores

CVSS v3 9.8
EPSS 0.8894
EPSS Percentile 99.5%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable yes
Technical Impact total

Details

CISA KEV 2025-04-07
VulnCheck KEV 2024-04-26
ENISA EUVD EUVD-2025-9910
Ransomware Use Confirmed
CWE
CWE-305
Status published
Products (1)
crushftp/crushftp 10.0.0 - 10.8.4
Published Apr 03, 2025
KEV Added Apr 07, 2025
Tracked Since Feb 18, 2026