Read Time:1 Minute, 18 Second
What is the Vulnerability?FortiGuard Labs has observed in-the-wild attack attempts targeting CVE-2025-31161, an authentication bypass vulnerability in CrushFTP managed file transfer (MFT) software. Successful exploitation may grant attackers administrative access to the application, posing a serious threat to enterprise environments.The vulnerability is remotely exploitable, and a proof-of-concept (PoC) exploit is now publicly available. This increases the risk of rapid adoption by threat actors, including ransomware groups who have historically targeted MFT platforms like MOVEit Transfer and Cleo MFT.According to the Shadowserver Foundation, approximately 1,800 unpatched, internet-exposed CrushFTP instances remain vulnerable globally, heightening the urgency for immediate mitigation.What is the recommended Mitigation?FortiGuard Labs recommends users to apply the fix provided by the vendor and follow any instructions as mentioned on the vendor`s advisory. Limit internet exposure of MFT services wherever possible, or use CrushFTP DMZ function, and further monitor for suspicious activity or unauthorized access attempts.Affected versions include 10.0.0 to 10.8.3 and 11.0.0 to 11.3.0. Users should immediately patch to 10.8.4 or 11.3.1 and later. https://www.crushftp.com/crush11wiki/Wiki.jsp?page=UpdateWhat FortiGuard Coverage is available? FortiGuard Labs has available IPS protection for CVE-2025-31161 which detects and block attack attempts targeting CrushFTP Authentication Bypass vulnerability.FortiGuard Labs has blocked all the known Indicators of Compromise (IOCs) linked to the campaigns targeting the CrushFTP vulnerability (CVE-2025-31161).The FortiGuard Incident Response team can be engaged to help with any suspected compromise.
