CVE-2025-31161 CrushFTP CVE debrief

Who should care

CrushFTP administrators, security teams, and service owners running affected deployments, especially internet-facing instances and cloud-hosted services. Organizations that rely on CrushFTP for file transfer or external access should prioritize this immediately because CISA lists it as known exploited and gives a near-term remediation deadline.

Technical summary

The supplied public sources identify the issue only at a high level: an authentication bypass in CrushFTP. CISA’s KEV record confirms the vulnerability is being actively exploited and links to vendor update guidance, but the supplied corpus does not include deeper root-cause details, affected versions, or exploit mechanics. Use the vendor’s official remediation guidance and verify which deployments are exposed.

Defensive priority

Immediate / highest priority

Recommended defensive actions

• Apply the vendor mitigations and updates referenced in CrushFTP’s official update guidance as soon as possible.
• Prioritize internet-facing and externally reachable CrushFTP deployments for immediate review and remediation.
• Follow CISA BOD 22-01 guidance for cloud services if CrushFTP is used in a cloud environment.
• If mitigations are unavailable, discontinue use of the product per CISA guidance.
• Confirm whether any deployment remains unremediated against the 2025-04-28 CISA due date.

Evidence notes

CISA’s Known Exploited Vulnerabilities catalog lists CVE-2025-31161 as “CrushFTP Authentication Bypass Vulnerability,” with dateAdded 2025-04-07, dueDate 2025-04-28, and knownRansomwareCampaignUse set to “Known.” The KEV record’s required action is to apply vendor mitigations, follow applicable BOD 22-01 guidance for cloud services, or discontinue use if mitigations are unavailable. The KEV notes reference CrushFTP’s official update wiki, and the supplied corpus also includes official CVE and NVD record links.

Official resources