1. Executive Summary
Attackers are actively targeting a critical authentication bypass in CrushFTP managed file transfer (MFT) software, tracked as CVE-2025-31161. According to Huntress’ incident analysis, in-the-wild exploitation was observed from 30 March–3 April 2025 onwards, with follow-on activity including deployment of remote monitoring and management (RMM) tooling and credential access. The flaw enables unauthenticated access to administrative functionality under certain conditions and can lead to full takeover of the crushadmin account on vulnerable deployments, as described in the NVD entry for CVE-2025-31161. Organisations running CrushFTP v10 (< 10.8.4) or v11 (< 11.3.1) should treat this as a high-priority patch and incident response trigger.
2. Contextual Background
2.1 Nature of the threat
- CVE-2025-31161 – Authentication bypass impacting CrushFTP v10 before 10.8.4 and v11 before 11.3.1, potentially enabling takeover of the
crushadminaccount. (CrushFTP vendor bulletin (Unauthenticated HTTP(S) port access); NVD) - CVE-2025-2825 – Widely referenced early in disclosure, but later rejected as a duplicate reservation. (NVD (Rejected) for CVE-2025-2825; ProjectDiscovery note on CVE renaming)
2.2 Threat-actor attribution
Confidence: Possible. Public reporting reviewed for this write-up does not provide a confirmed threat-actor attribution (e.g., APT group designation). Available evidence indicates opportunistic exploitation following public discussion and PoC availability rather than a single uniquely attributable actor set. Huntress describes multiple victim organisations and varied post-exploitation tooling (MeshCentral, AnyDesk, and bespoke malware), which can be consistent with either one actor or multiple copycat operators. (Huntress’ observations and post-exploitation notes)
2.3 Sector and geographic targeting
Observed victims in Huntress’ dataset included marketing, retail, and semiconductor organisations, with several incidents linked via a shared MSP relationship—suggesting targeting of externally exposed MFT services and service-provider ecosystems rather than a single vertical. (Huntress victim context)
3. Technical Analysis
3.1 Vulnerability mechanics and likely ATT&CK mapping
Based on public technical write-ups, exploitation abuses CrushFTP’s HTTP component and an authorisation pathway compatible with S3-style signing (AWS4-HMAC), enabling attackers to influence how authentication is evaluated and ultimately perform administrative actions without valid credentials in vulnerable configurations. (NVD technical description; ProjectDiscovery technical analysis)
Representative ATT&CK techniques associated with reported activity include:
- T1190 – Exploit Public-Facing Application (initial access via exposed CrushFTP HTTP(S))
- T1105 – Ingress Tool Transfer (upload/stage binaries such as MeshAgent installer)
- T1219 – Remote Access Software (use of MeshCentral agent / AnyDesk for persistence and control)
- T1136 – Create Account (creation of new/backdoor admin account within CrushFTP context)
- T1003.002 – OS Credential Dumping: Security Account Manager (SAM) (dumping registry hives after RMM deployment)
3.2 Exploitation status and PoC availability
- Exploited in the wild: Huntress reports active exploitation beginning late March/early April 2025, with follow-on post-exploitation activity. (Huntress)
- Government confirmation / KEV: The Canadian Centre for Cyber Security states that CISA added CVE-2025-31161 to the Known Exploited Vulnerabilities catalogue on 7 April 2025. (Canadian Centre for Cyber Security Alert AL25-003)
- Public PoC / exploit material: Public exploit artefacts have been published, increasing replication risk.
4. Impact Assessment
4.1 Severity and scope
Severity: CVSS 9.8 (Critical) is consistently reported for CVE-2025-31161. (NVD; Huntress) Successful exploitation may enable administrative control, creation of persistent accounts, data access, and downstream code execution depending on environment and operator objectives. (Huntress post-exploitation write-up)
Exposure: Internet-facing MFT services are a high-value target due to sensitive data holdings and direct external accessibility; Censys reported thousands of exposed CrushFTP instances during the disclosure window, including instances presenting potentially vulnerable versions based on observed banners. (Censys exposure analysis)
4.2 Victim profile
Risk is highest for organisations with CrushFTP HTTP(S) interfaces exposed to the internet, especially where default or well-known administrative usernames exist (e.g., crushadmin). Reported activity includes exploitation against multiple companies and MSP-hosted environments. (Huntress)
5. Indicators of Compromise (IOCs)
5.1 IOC table
The following indicators are drawn from Huntress’ published investigation and should be treated as high-signal pivots for hunting and triage. (Huntress IOC section)
| Type | Value | Context/Notes | Source |
|---|---|---|---|
| IP Address | 172.235.144[.]67 | Attacker IP observed in exploitation logs | Huntress |
| IP Address | 2.58.56[.]16 | Attacker IP observed staging uploads | Huntress |
| IP Address | 143.244.47[.]67 | Attacker IP observed in later activity | Huntress |
| IP Address | 146.70.166[.]201 | Attacker IP observed in later activity | Huntress |
| Account / Username | Eaion6Mz | Backdoor account name created by threat actor | Huntress |
| File Path | C:\Windows\Temp\mesch.exe | MeshAgent installer binary staged via CrushFTP | Huntress |
| SHA-256 | 9036c92c3ca73cb6ec2da25035322554319288fd2f6db906413011873ad7e281 | MeshAgent installer binary hash | Huntress |
| File Path | C:\Windows\Temp\d3d11.dll | DLL associated with Telegram bot tooling (“TgBot DLL” in Huntress reporting) | Huntress |
| SHA-256 | be6cb5f80b33b9e97622d278a86a99e67b78ccab0b3e554b8430ae5969bcfc0e | TgBot DLL hash (as labelled by Huntress) | Huntress |
| File Path | c:\Windows\storm.exe | Observed artefact in Huntress IOC list (validate on-host for provenance) | Huntress |
| Log Indicator | AWS4-HMAC-SHA256 Credential=crushadmin/ | String associated with bypass traffic in Huntress PoC and observed exploitation | Huntress |
5.2 Detection guidance
- CrushFTP logs: Hunt for requests containing
AWS4-HMAC-SHA256andCredential=crushadmin/, especially where session context lacks normal interactive login markers. (Huntress exploitation artefacts) - Session logs directory: Horizon3 notes that session logs under
logs/session_logscan show suspicious “password OK” for default accounts likecrushadminandanonymous. (Horizon3 guidance) - EDR telemetry: Flag execution of RMM installers spawned from the CrushFTP service process and staging under
C:\Windows\Temp\(e.g.,mesch.exe, suspicious DLL drops). (Huntress post-exploitation process examples) - Exposure scanning: Use a vetted detection template to identify vulnerable deployments, then validate manually to avoid false positives (e.g., Nuclei template for CVE-2025-31161).
6. Incident Response Guidance
6.1 Containment, eradication, and recovery
- Immediately patch to CrushFTP 10.8.4+ or 11.3.1+ per the vendor bulletin; prioritise any internet-facing instances first. (CrushFTP vendor bulletin; Canadian Centre for Cyber Security guidance)
- Assume credential exposure for CrushFTP administrative accounts on compromised hosts: rotate admin passwords, invalidate sessions/tokens where possible, and review MFA/SSO configuration.
- Hunt for persistence: enumerate CrushFTP users/admins for newly created or unexpected accounts (e.g., Huntress-reported backdoor account naming), and review role assignments and API keys/tokens. (Huntress account persistence example)
- Remove unauthorised tooling: investigate and uninstall MeshCentral agents / AnyDesk instances not approved by IT, and block known-bad IOCs at network controls. (Huntress RMM observations)
6.2 Forensic artefacts to collect and preserve
- CrushFTP application logs (including
CrushFTP.log) andlogs/session_logsarchive. (Huntress logging guidance) - Web server / reverse proxy logs in front of CrushFTP (if present) for exploit request reconstruction.
- File system triage of
C:\Windows\Temp\and other staging directories; hash and quarantine suspicious binaries and DLLs (including those listed in the IOC table). (Huntress artefacts) - Process execution history / EDR timeline around suspected exploitation timeframes; pay attention to
reg.exeactivity consistent with SAM/SYSTEM hive dumping. (Huntress credential access notes)
6.3 Lessons learned
- Reassess whether MFT services must be internet-exposed; where exposure is unavoidable, enforce strong access controls, segmentation, and continuous monitoring.
- Implement rapid patch SLAs for KEV-listed vulnerabilities, particularly in externally accessible infrastructure. (Canadian Centre for Cyber Security note on KEV inclusion)
7. Threat Intelligence Contextualisation
7.1 Similar past incidents
Huntress highlights a broader trend of threat actors targeting MFT platforms due to their external footprint and concentration of sensitive enterprise data. (Huntress trend commentary) CrushFTP has also had prior high-impact issues, such as CVE-2024-4040 (VFS escape/system file access) referenced in vendor update notes. (CrushFTP v11 update notes referencing CVE-2024-4040)
7.2 ATT&CK mapping table (observed lifecycle)
| Tactic | Technique ID | Technique Name | Observed Behaviour |
|---|---|---|---|
| Initial Access | T1190 | Exploit Public-Facing Application | Authentication bypass via exposed CrushFTP HTTP(S) interface (AWS4-HMAC/S3 auth pathway abuse) |
| Persistence | T1136 | Create Account | Creation of new/backdoor admin account(s) within CrushFTP |
| Command & Control | T1219 | Remote Access Software | Deployment of MeshCentral agent / AnyDesk for interactive access |
| Ingress | T1105 | Ingress Tool Transfer | Upload/staging of executables and DLLs via application functionality |
| Credential Access | T1003.002 | OS Credential Dumping: SAM | Dumping SAM/SYSTEM hives after post-exploitation foothold |
8. Mitigation Recommendations
8.1 Hardening and configuration
- Minimise exposure: Restrict CrushFTP HTTP(S) access to trusted IP ranges/VPN; avoid public exposure where feasible.
- Use DMZ proxy architecture where applicable: The vendor notes the exploit does not work when the DMZ proxy instance is in place for the affected bulletin scenario. (CrushFTP vendor bulletin; Canadian Centre for Cyber Security summary)
- Admin hygiene: Rename/disable default admin accounts where possible, enforce MFA, and ensure administrative interfaces are not exposed to the internet.
- Monitoring: Alert on log strings indicative of exploitation (e.g., AWS4-HMAC markers) and on creation of new administrative users. (Huntress indicators)
8.2 Patch management advice
- Patch immediately due to CVSS 9.8 and confirmed exploitation/KEV inclusion. (NVD; Canadian Centre for Cyber Security (KEV note))
- Prioritisation: Rank remediation highest for internet-facing CrushFTP instances and those with evidence of exploitation attempts; additionally check the current EPSS for CVE-2025-31161 in your vulnerability management tooling to inform scanning and verification cadence.
- Interim workaround (if patching is delayed): Remove public HTTP(S) exposure and restrict management endpoints to internal-only access until upgrades can be completed (risk remains elevated while public PoCs exist). (Public PoC repository; Exploit-DB)
9. Historical Context & Related Vulnerabilities
- CVE-2024-4040 – CrushFTP v11 VFS escape/system file download issue referenced in vendor update notes, underscoring the need for sustained patch hygiene around externally exposed file transfer platforms. (CrushFTP v11 update notes)
- Disclosure/identifier confusion: Multiple sources document that CVE-2025-2825 was an early identifier but was later rejected in favour of CVE-2025-31161. (NVD (Rejected) for CVE-2025-2825; ProjectDiscovery update; Huntress note on rejected CVE)
10. Future Outlook
- Copycat acceleration is likely: With public PoCs and detection templates available, exploitation is likely to broaden beyond early operators to include initial access brokers and ransomware affiliates seeking scalable footholds. (Public PoC repository; Nuclei template)
- MFT remains a strategic target: Reporting indicates continued adversary focus on MFT solutions due to high-value data and external exposure; defenders should expect increased scanning and credential/persistence activity following exploitation. (Huntress trend discussion)
11. Further Reading
Vendor and Government Advisories
- CrushFTP vendor bulletin: Unauthenticated HTTP(S) port access (CVE-2025-31161)
- Canadian Centre for Cyber Security Alert AL25-003: Vulnerability impacting CrushFTP
- NVD entry for CVE-2025-31161
Threat Intelligence and Technical Analysis
- Huntress: CVE-2025-31161 auth bypass and post-exploitation (IOCs included)
- ProjectDiscovery: Technical breakdown of CrushFTP authentication bypass
- Censys: Exposure analysis for CVE-2025-31161
Detection and PoC Artefacts
- ProjectDiscovery: Nuclei detection template (CVE-2025-31161)
- GitHub: Public PoC repository for CVE-2025-31161
- Exploit-DB: CrushFTP authentication bypass (CVE-2025-31161)