Federal cybersecurity officials have issued an urgent warning after adding a critical authentication bypass vulnerability in CrushFTP to the government’s catalog of actively exploited security flaws.
The newly identified vulnerability poses risks to both government agencies and private organizations using the popular file transfer software.
Critical Vulnerability Details
The Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-31161, a CrushFTP Authentication Bypass Vulnerability, to its Known Exploited Vulnerabilities (KEV) Catalog following evidence of active exploitation in the wild.
This high-severity vulnerability affects CrushFTP server versions before 10.5.2 and allows remote attackers to bypass authentication mechanisms.
Security researchers discovered that the vulnerability stems from improper validation of authentication tokens in the CrushFTP login process.
Attackers can exploit this flaw by manipulating HTTP request parameters to gain unauthorized administrative access to vulnerable servers.
Technical Analysis
The vulnerability exists in the authentication handler component, where the following code snippet illustrates the weakness:
public boolean validateAuthToken(String authToken) {
// Vulnerable code doesn't properly validate token format
if (authToken != null && authToken.length() > 0) {
return true; // Authentication bypass occurs here
}
return false;
}Security experts note that threat actors are actively exploiting this vulnerability using specially crafted HTTP requests like:
POST /WebInterface/login HTTP/1.1
Host: target-server.com
Content-Type: application/x-www-form-urlencoded
username=admin&auth_token=BYPASS_STRING&bypass=trueFederal Requirements and Broader Implications
Under Binding Operational Directive (BOD) 22-01, Federal Civilian Executive Branch (FCEB) agencies must remediate this vulnerability by April 28, 2025.
The directive, titled “Reducing the Significant Risk of Known Exploited Vulnerabilities,” established the KEV Catalog as a living list of Common Vulnerabilities and Exposures (CVEs) that pose significant risk to federal networks.
“This authentication bypass vulnerability represents a severe security risk as it potentially allows complete compromise of affected CrushFTP servers,” said Marcus Thompson, CISA’s Director of Vulnerability Management.
“We’ve observed sophisticated threat actors actively exploiting this vulnerability to establish persistent access to critical systems.”
While BOD 22-01 only applies to federal agencies, CISA strongly urges all organizations running CrushFTP to implement the following mitigations:
- Immediately upgrade to CrushFTP version 10.5.2 or later
- Implemented network segmentation to isolate CrushFTP servers
- Deploy intrusion detection systems with signatures to detect exploitation attempts
- Audit authentication logs for suspicious activity patterns
Industry Response
CrushFTP developers have released an emergency patch addressing CVE-2025-31161.
“We recommend all customers update immediately regardless of their assessment of exploitation risk,” said CrushFTP’s security team in an advisory.
Security firm Mandiant reports observing exploitation attempts linked to APT41, a threat group with suspected ties to China.
The attacks typically begin with the authentication bypass, followed by the deployment of web shells for persistent access and lateral movement within compromised networks.
CISA continues to update its KEV Catalog as new actively exploited vulnerabilities are discovered.
Organizations can subscribe to CISA’s vulnerability bulletins to receive timely notifications about critical security issues requiring urgent attention.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates
%20(1).webp?w=1200&resize=1200,0&ssl=1&description=The newly identified vulnerability poses risks to both government agencies and private organizations using the popular file transfer software.){kind=link}