Imperva Customers Are Protected Against CVE-2025-31161 in CrushFTP 

Introduction

A critical security vulnerability, identified as CVE-2025-31161 (previously tracked as CVE-2025-2825), has been discovered in CrushFTP versions 10.0.0 through 10.8.3 and 11.0.0 through 11.3.0. This flaw allows unauthenticated remote attackers to access unpatched CrushFTP servers if they’re publicly exposed over HTTP(S). The vulnerability has been actively exploited since March 2025, underscoring the urgency for immediate mitigation.

File transfer programs, such as CrushFTP, are prime targets for attackers due to their critical role in handling sensitive data like personally identifiable information (PII), financial records, and intellectual property. These tools are often integral to organizations’ day-to-day operations, making them valuable for attackers seeking to gain access to confidential information. However, many of these programs suffer from relatively outdated security measures, which increases their vulnerability to exploitation. A notable example of this threat occurred in late 2024 when the ransomware group Clop launched widespread attacks against organizations using the Cleo file transfer program. Clop exploited vulnerabilities such as CVE-2024-50623 and CVE-2024-55956, which allowed them to infiltrate systems and execute ransomware attacks.

Understanding CVE-2025-31161

CVE-2025-31161 arises from a race condition in the AWS4-HMAC (S3-compatible) authorization method within CrushFTP’s HTTP component. Attackers can exploit this flaw by sending specially crafted HTTP requests with manipulated AWS4-HMAC headers, leading the server to authenticate the session without proper user verification. This allows unauthorized users to impersonate legitimate accounts, including administrative ones, potentially compromising the entire system.

The vulnerability affects versions prior to 10.8.4 and 11.3.1. CrushFTP has acknowledged the issue and released patches addressing the flaw. Users are strongly advised to upgrade to these patched versions.

Imperva’s Observations

Since the vulnerability’s discovery, Imperva Threat Research has observed thousands of attacks exploiting CVE-2025-31161, originating from 99 different countries. The attacks are primarily targeting Financial Services, Business, and Computing sites in the US, Australia, and Brazil, and attackers are primarily leveraging bots to conduct these attacks.

The choice to target these specific industries and regions is likely driven by the high-value data and assets that these sectors hold. Financial services, for instance, are prime targets due to the vast amounts of sensitive financial data, including account details, credit card information, and other personally identifiable information (PII) that can be sold on the dark web or used for financial fraud. Similarly, the business and computing sectors often deal with critical infrastructure, proprietary business data, and intellectual property, making them lucrative targets for cybercriminals seeking to steal valuable information or disrupt operations for financial gain.

Geographically, the United States is a common focal point due to its strong economic presence and large-scale digital transformation efforts. Many countries also have a large number of organizations relying on systems like CrushFTP for file sharing and management—as of early April, there were over 7,000 exposed CrushFTP instances, including many in North America and several in South America and Oceania—making them ideal targets for attackers seeking to exploit flaws in widely used platforms. The high concentration of attacks in these regions may also reflect a global trend of increased cybercriminal activity aimed at sectors with valuable data, as these countries serve as hubs for international finance, commerce, and technology.

Conclusion

CVE-2025-31161 poses a severe threat to systems using vulnerable versions of CrushFTP. Its exploitation can lead to unauthorized administrative access and complete system compromise. Organizations should act swiftly to apply the available patches and safeguard their systems against potential attacks.

Imperva customers are protected against CVE-2025-31161 out-of-the-box.