On 21 March 2025, CrushFTP privately alerted customers to a critical authentication bypass vulnerability, now tracked as CVE-2025-31161. Since the initial disclosure, a proof-of-concept (PoC) exploit has been made publicly available, and the CrushFTP CEO has confirmed observing customer compromises via CVE-2025-31161.
Public reports initially tracked this vulnerability as CVE-2025-2825; however, the CrushFTP CEO has stated that the correct CVE number is CVE-2025-31161.
This flaw allows remote threat actors to access unpatched servers if they are publicly exposed over HTTP or HTTPS. CVE-2025-31161 can be exploited remotely via unauthenticated HTTP requests, enabling threat actors to impersonate users and perform malicious actions. While a valid username is required, the default “crushadmin” administrator account can often be used.
Threat actors are likely to target this vulnerability further, as file transfer solutions like CrushFTP have been popular targets in the past. For instance, last year, another CrushFTP vulnerability (CVE-2024-4040) was exploited in attacks to gather intelligence across various U.S. organisations.
Recommendations for CVE-2025-31161
Upgrade to Latest Fixed Version
Arctic Wolf strongly recommends that customers upgrade to the latest fixed version.
| Product | Affected Version | Fixed Version |
| CrushFTP | 10.0.0 to 10.8.3 | 10.8.4+ |
| CrushFTP | 11.0.0 to 11.3.0 | 11.3.1+ |
Please follow your organisation’s patching and testing guidelines to minimise potential operational impact.
Workaround (Optional)
For users unable to immediately patch CrushFTP, the vulnerability cannot be exploited if the demilitarised zone (DMZ) proxy instance of CrushFTP is in place, according to CrushFTP.
References
Cybersecurity Dive (CEO Statement)
Resources
