vulnerability

CrushFTP: CVE-2025-31161: Authentication bypass

Try Surface Command

Back to search

Severity	CVSS	Published	Added	Modified
10	(AV:N/AC:L/Au:N/C:C/I:C/A:C)	Mar 21, 2025	Apr 25, 2025	Oct 8, 2025

Severity

CVSS

(AV:N/AC:L/Au:N/C:C/I:C/A:C)

Published

Mar 21, 2025

Added

Apr 25, 2025

Modified

Oct 8, 2025

Description

CrushFTP versions 10.0.0 through 10.8.3 and 11.0.0 through 11.3.0 are affected by a vulnerability that may result in unauthenticated access. Remote and unauthenticated HTTP requests to CrushFTP may allow attackers to gain unauthorized access. Please note that this vulnerability is only assessable when the Rapid7 Agent is used for information collection

Solution

crushftp-crushftp-upgrade-latest

References

CVE-2025-31161
https://attackerkb.com/topics/CVE-2025-31161
URL-https://www.crushftp.com/crush11wiki/Wiki.jsp?page=Update#section-Update-CrushFTP11.0.0To11.3.0AreVulnerable.UpdateTo11.3.1Immediately.

NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today