CISA Warns of CrushFTP Authentication Bypass Vulnerability Exploited in Attacks
- С сайта: Vulnerability(cybersecuritynews.com)
- Вернуться к списку новостей
С сайта: Vulnerability(cybersecuritynews.com)
The Cybersecurity and Infrastructure Security Agency (CISA) has added a critical authentication bypass vulnerability in CrushFTP file transfer software to its Known Exploited Vulnerabilities (KEV) Catalog.
Designated as CVE-2025-31161, this vulnerability is actively being exploited in the wild, posing significant security risks to organizations using affected versions of the software.
The CrushFTP authentication bypass vulnerability affects versions 10.0.0 through 10.8.3 and 11.0.0 through 11.3.0 of the file transfer application.
With a CVSS score of 9.8 (Critical), this vulnerability enables remote attackers to gain unauthenticated access to systems running unpatched CrushFTP instances.
CrushFTP Authentication Bypass Vulnerability
Security researchers at Outpost24 discovered the flaw, which stems from a critical issue in how CrushFTP processes S3 authorization headers.
The vulnerability involves a boolean flag called lookup_user_pass that serves dual purposes in the authentication chain. When this flag is set to true, it completely bypasses password verification through a problematic condition in the UserTools.java file.
The exploitation method is relatively straightforward, requiring only a simplified AWS S3-style authorization header:
Combined with a specifically formatted CrushAuth cookie, this allows attackers to authenticate as any known or guessable user without providing a password.
According to the Shadowserver Foundation, dozens of exploitation attempts targeting internet-exposed CrushFTP servers have been detected, with over 1,500 vulnerable instances identified online.
Huntress researchers have observed in-the-wild exploitation as early as March 30, 2025, with attackers leveraging the vulnerability to deploy remote management tools and other malware for post-exploitation activities.
The summary of the vulnerability is given below:
Risk Factors Details Affected ProductsCrushFTP versions 10.0.0 through 10.8.3 and 11.0.0 through 11.3.0ImpactFull system compromise, and potential data theftExploit Prerequisites
No prerequisites; remote exploitation possible without authenticationCVSS 3.1 Score9.8 (Critical)
CISA Directive and Remediation
On April 7, 2025, CISA added the vulnerability to its KEV catalog under Binding Operational Directive (BOD) 22-01, which requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the specified due date.
“These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise,” CISA noted in its advisory.
CrushFTP released patches addressing the vulnerability in versions 10.8.4 and 11.3.1 on March 21, 2025. Organizations unable to update immediately can enable the DMZ (demilitarized zone) perimeter network option as a temporary workaround.
While BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to prioritize remediation of this vulnerability as part of their vulnerability management practice.
Security experts recommend immediate action to update CrushFTP installations to patched versions, especially for internet-facing instances that opportunistic attackers could target.
As file transfer applications remain attractive targets for threat actors, organizations should maintain vigilance and promptly apply security updates to mitigate potential compromise through this critical vulnerability.
#Cyber_Attack_Article #Cyber_Security #Cyber_Security_News #Vulnerability #cyber_security #cyber_security_news #vulnerability
Оригинальная версия на сайте:
CISA Warns of CrushFTP Authentication Bypass Vulnerability Exploited in Attacks
Author: KaaviyaThe Cybersecurity and Infrastructure Security Agency (CISA) has added a critical authentication bypass vulnerability in CrushFTP file transfer software to its Known Exploited Vulnerabilities (KEV) Catalog.
Designated as CVE-2025-31161, this vulnerability is actively being exploited in the wild, posing significant security risks to organizations using affected versions of the software.
The CrushFTP authentication bypass vulnerability affects versions 10.0.0 through 10.8.3 and 11.0.0 through 11.3.0 of the file transfer application.
With a CVSS score of 9.8 (Critical), this vulnerability enables remote attackers to gain unauthenticated access to systems running unpatched CrushFTP instances.
CrushFTP Authentication Bypass Vulnerability
Security researchers at Outpost24 discovered the flaw, which stems from a critical issue in how CrushFTP processes S3 authorization headers.
The vulnerability involves a boolean flag called lookup_user_pass that serves dual purposes in the authentication chain. When this flag is set to true, it completely bypasses password verification through a problematic condition in the UserTools.java file.
The exploitation method is relatively straightforward, requiring only a simplified AWS S3-style authorization header:
Combined with a specifically formatted CrushAuth cookie, this allows attackers to authenticate as any known or guessable user without providing a password.
According to the Shadowserver Foundation, dozens of exploitation attempts targeting internet-exposed CrushFTP servers have been detected, with over 1,500 vulnerable instances identified online.
Huntress researchers have observed in-the-wild exploitation as early as March 30, 2025, with attackers leveraging the vulnerability to deploy remote management tools and other malware for post-exploitation activities.
The summary of the vulnerability is given below:
Risk Factors Details Affected ProductsCrushFTP versions 10.0.0 through 10.8.3 and 11.0.0 through 11.3.0ImpactFull system compromise, and potential data theftExploit Prerequisites
No prerequisites; remote exploitation possible without authenticationCVSS 3.1 Score9.8 (Critical)
CISA Directive and Remediation
On April 7, 2025, CISA added the vulnerability to its KEV catalog under Binding Operational Directive (BOD) 22-01, which requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the specified due date.
“These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise,” CISA noted in its advisory.
CrushFTP released patches addressing the vulnerability in versions 10.8.4 and 11.3.1 on March 21, 2025. Organizations unable to update immediately can enable the DMZ (demilitarized zone) perimeter network option as a temporary workaround.
While BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to prioritize remediation of this vulnerability as part of their vulnerability management practice.
Security experts recommend immediate action to update CrushFTP installations to patched versions, especially for internet-facing instances that opportunistic attackers could target.
As file transfer applications remain attractive targets for threat actors, organizations should maintain vigilance and promptly apply security updates to mitigate potential compromise through this critical vulnerability.
#Cyber_Attack_Article #Cyber_Security #Cyber_Security_News #Vulnerability #cyber_security #cyber_security_news #vulnerability
Оригинальная версия на сайте:
