# CVE-2025-31161

> CrushFTP 10 before 10.8.4 and 11 before 11.3.1 allows authentication bypass and takeover of the crushadmin account (unless a DMZ proxy instance is used), as exploited in the wild in March and April 2025, aka "Unauthenticated HTTP(S) port access." A race condition exists in the AWS4-HMAC (compatible with S3) authorization method of the HTTP component of the FTP server. The server first verifies the existence of the user by performing a call to login_user_pass() with no password requirement. This will authenticate the session through the HMAC verification process and up until the server checks f

- **CVSS:** 9.8 (CRITICAL)
- **EPSS:** 86.2%
- **CISA KEV:** yes (known ransomware use)
- **CWE:** CWE-305, NVD-CWE-Other

Canonical: https://intel.threadlinqs.com/cve/CVE-2025-31161
Full threat coverage + IOCs via the Threadlinqs MCP server (Purple tier): https://intel.threadlinqs.com/mcp