FortiGuard Outbreak Alert: CrushFTP Authentication Bypass Attack

kcheung · ‎05-22-2025

Description

FortiGuard Labs have observed exploitation attempts of CVE-2025-31161 in CrushFTP Server.

CrushFTP Server is a file transfer server that supports multiple protocols and multiple platforms.

CVE-2025-31161 is an authentication bypass vulnerability in CrushFTP server which a specialty crafted HTTP request would allow complete control over the CrushFTP server.

The following versions of CrushFTP server are vulnerable to CVE-2025-31161:

10.0.0 ≤ Version < 10.8.4
11.0.0 ≤ Version < 11.3.1

CVE ID   

CVE-2025-31161 (https://nvd.nist.gov/vuln/detail/CVE-2025-31161)

NDR Cloud Detection Rule

FortiNDR Cloud v25.2b+

Detection Rule Name	Category	Primary MITRE ID
FortiGuard Outbreak Alert: CrushFTP Authentication Bypass - CVE-2025-31161	Attack:Exploitation	T1190 - Exploit Public-Facing Application

Playbook

N/A

Threat Hunting

FortiNDR Cloud users can use the following IOCs from Fortinet to hunt for “CrushFTP Authentication Bypass Attack” related activities:
IOC source https://www.fortiguard.com/outbreak-ioc?tag=crushftp%20authentication%20bypass

All IOCs listed above have been added to Threat Intelligence Intel.

Suricata Coverage

Customers can create custom investigation/detections using the Suricata signatures below:
2061619 -> ET EXPLOIT [CORELIGHT] CrushFTP Auth Bypass Attempt (CVE-2025-31161)

Other Fortinet Products

For more details regarding mitigating the vulnerability by utilizing Fortinet products, please refer to:
https://www.fortiguard.com/outbreak-alert/crushftp-authentication-bypass

FortiGuard Outbreak Alert: CrushFTP Authentication Bypass Attack

You are leaving our website