A critical vulnerability (CVE-2025-31161) in CrushFTP managed file transfer software allows attackers to bypass authentication and gain admin-level access. Affecting versions 10.0.0-10.8.3 and 11.0.0-11.3.0, the flaw enables unauthorized actions, including data retrieval and administrative control. Exploitation has been observed since March 30, 2025, with ~1,500 vulnerable instances exposed. Post-exploitation activities include creating backdoor accounts, deploying MeshCentral agents, and using AnyDesk for remote access. A Telegram bot-based malware was also identified. The vulnerability stems from improper S3 authorization header processing and can be exploited with a simple HTTP request. Immediate patching to versions 11.3.1+ or 10.8.4+ is strongly recommended.