{
  "name": "CrushFTP CVE-2025-31161 Auth Bypass and Post-Exploitation",
  "slug": "crushftp-cve-2025-31161-auth-bypass-and-post-exploitation",
  "description": "A critical vulnerability (CVE-2025-31161) in CrushFTP managed file transfer software allows attackers to bypass authentication and gain admin-level access. Affecting versions 10.0.0-10.8.3 and 11.0.0-11.3.0, the flaw enables unauthorized actions, including data retrieval and administrative control. Exploitation has been observed since March 30, 2025, with ~1,500 vulnerable instances exposed. Post-exploitation activities include creating backdoor accounts, deploying MeshCentral agents, and using AnyDesk for remote access. A Telegram bot-based malware was also identified. The vulnerability stems from improper S3 authorization header processing and can be exploited with a simple HTTP request. Immediate patching to versions 11.3.1+ or 10.8.4+ is strongly recommended.",
  "published": "2025-04-05T05:55:37+00:00",
  "created_at": "2025-04-05T05:55:37+00:00",
  "modified_at": "2025-04-07T06:34:52+00:00",
  "created_at_opencti": "2025-04-05T05:55:37+00:00",
  "author": "",
  "confidence": null,
  "report_types": [],
  "labels": [],
  "tags": [
    "2025-04-05",
    "CVE-2025-31161",
    "anydesk",
    "authentication bypass",
    "crushftp",
    "meshcentral",
    "meshcentral agent",
    "telegram bot"
  ],
  "related_entities": {
    "malware": [
      {
        "id": "legacy:malware:23bdb72c6edfd526",
        "name": "Telegram bot malware",
        "slug": "telegram-bot-malware"
      },
      {
        "id": "legacy:malware:9cbf26c7aa2a1ee0",
        "name": "MeshCentral agent",
        "slug": "meshcentral-agent"
      },
      {
        "id": "7193649e-f5a2-4601-8529-3e35ea193839",
        "name": "AnyDesk",
        "slug": "anydesk"
      }
    ],
    "attack_patterns": [
      {
        "id": "19ce62bb-3faf-4d09-90b1-d82fce1ba8b0",
        "name": "T1136"
      },
      {
        "id": "3245033a-53c4-454c-873a-fb653af0bf8a",
        "name": "T1552"
      },
      {
        "id": "1e1b6cb4-44b5-4e17-b267-bcb104acb1d4",
        "name": "T1546"
      },
      {
        "id": "cbd87c8c-3bed-461a-acef-56ffc8b87571",
        "name": "T1105"
      },
      {
        "id": "dc342445-1b78-48b4-aa06-89ed2ad7c28e",
        "name": "T1071"
      },
      {
        "id": "6c8f8a40-2746-4a37-86bd-81e82afa6e62",
        "name": "T1190"
      },
      {
        "id": "b9eab970-53dd-4977-9a26-c4fe566e422d",
        "name": "T1133"
      },
      {
        "id": "9f11a241-9abc-4c57-95dd-33955ab08826",
        "name": "T1078"
      },
      {
        "id": "74d6e294-54d1-4a21-9dfc-df5870f8ec8e",
        "name": "T1003"
      },
      {
        "id": "9b6064e6-a05b-4e95-baf5-34d180bc9221",
        "name": "T1059"
      }
    ],
    "others": [
      {
        "id": "",
        "name": "Marketing"
      },
      {
        "id": "",
        "name": "Retail"
      },
      {
        "id": "",
        "name": "Semiconductor"
      },
      {
        "id": "",
        "name": "Technology"
      }
    ]
  },
  "external_refs": [
    "https://otx.alienvault.com/pulse/67f0e1f9e7eb1709fa231134",
    "https://www.huntress.com/blog/crushftp-cve-2025-31161-auth-bypass-and-post-exploitation"
  ]
}