virus logo Threat Signal Report

CrushFTP Authentication Bypass

What is the Vulnerability?

FortiGuard Labs has observed in-the-wild attack attempts targeting CVE-2025-31161, an authentication bypass vulnerability in CrushFTP managed file transfer (MFT) software. Successful exploitation may grant attackers administrative access to the application, posing a serious threat to enterprise environments.

The vulnerability is remotely exploitable, and a proof-of-concept (PoC) exploit is now publicly available. This increases the risk of rapid adoption by threat actors, including ransomware groups who have historically targeted MFT platforms like MOVEit Transfer and Cleo MFT.

According to the Shadowserver Foundation, approximately 1,800 unpatched, internet-exposed CrushFTP instances remain vulnerable globally, heightening the urgency for immediate mitigation.

What is the recommended Mitigation?

  • FortiGuard Labs recommends users to apply the fix provided by the vendor and follow any instructions as mentioned on the vendor's advisory.

  • Limit internet exposure of MFT services wherever possible, or use CrushFTP DMZ function, and further monitor for suspicious activity or unauthorized access attempts.

  • Affected versions include 10.0.0 to 10.8.3 and 11.0.0 to 11.3.0.

    Users should immediately patch to 10.8.4 or 11.3.1 and later.
    https://www.crushftp.com/crush11wiki/Wiki.jsp?page=Update

What FortiGuard Coverage is available?

  • FortiGuard Labs has available IPS protection for CVE-2025-31161 which detects and block attack attempts targeting CrushFTP Authentication Bypass vulnerability. Intrusion Prevention | FortiGuard Labs

  • FortiGuard Labs has available AV protection for Loader_Lycaon used at post-exploitation. Virus | FortiGuard Labs

  • FortiGuard Endpoint Vulnerability Service provides a systematic and automated method of patching applications on an endpoint, eliminating manual processes while reducing the attack surface. FortiClient Vulnerability | FortiGuard Labs

  • FortiGuard Labs has blocked all the known Indicators of Compromise (IOCs) linked to the campaigns targeting the CrushFTP vulnerability (CVE-2025-31161).

  • The FortiGuard Incident Response team can be engaged to help with any suspected compromise.

description-logoOutbreak Alert

FortiGuard Labs has identified ongoing and persistent attack attempts in the wild that are aimed at exploiting CVE-2025-31161, which is an authentication bypass vulnerability found in CrushFTP file transfer server. If successfully exploited, this vulnerability could allow attackers to gain administrative access to the application, representing a significant risk to enterprise environments.

View the full Outbreak Alert Report

Additional Resources

Shadow Server
Dark Reading
CrushFTP (DMZ Function)
CISA Known Exploited Vulnerability Advisory (KEV)


Released Date Apr 08, 2025
Tags CrushFTP Authentication Bypass Threat Signal Vulnerability
CVE ID

Experienced a Breach? We're here to help

FortiGuard Incident Response Services
FortiGuard Incident Response Services
Outbreak Alert Outbreak Alert
About FortiGuard Threat Signal

Learn More »