Exploit for Authentication Bypass by Primary Weakness in Crushftp CVE-2025-31161

Name: Exploit for Authentication Bypass by Primary Weakness in Crushftp CVE-2025-31161
Rating: 5 (2 reviews)
2026-06-29 | CVSS 9.8
## https://sploitus.com/exploit?id=964E7791-B2DF-59B8-81F3-BEFC914A712D
# CrushFTP 10.8.0 — CVE-2025-31161 Vulnerable Build

Pre-built CrushFTP 10.8.0 binary for authorized penetration testing of
[CVE-2025-31161](https://nvd.nist.gov/vuln/detail/CVE-2025-31161).

> [!CAUTION]
> This is an **intentionally vulnerable** application build.
> For authorized security testing and research only.
> Do not deploy on production systems or expose to untrusted networks.

## What's Included

The release asset `CrushFTP10_10.8.0_4.zip` contains the full CrushFTP 10.8.0
build 4 application extracted from the
[`netlah/crushftp:10.8.0_4`](https://hub.docker.com/r/netlah/crushftp/tags)
Docker image.

| File/Directory | Description |
|----------------|-------------|
| `CrushFTP.jar` | Main application (contains vulnerable `ServerSessionHTTP.java`) |
| `CrushFTP.exe` | Windows service wrapper |
| `plugins/`     | BouncyCastle, Derby, SSH, and other runtime libraries |
| `WebInterface/`| Web UI and `CrushTunnel.jar` |
| `users/`       | Default user directory template |

**Java is not included.** The companion Ludus role
([rufflabs/ludus_crushftp_cve-2025-31161](https://github.com/rufflabs/ludus_crushftp_cve-2025-31161))
handles JDK provisioning automatically.

## Provenance

```
Source:     Docker Hub netlah/crushftp:10.8.0_4
Image:      sha256:d6eca9c6a3a9d09debde37590ce91b3b1f8bb7587368639cc847487515e67d03
Build Date: 2024-06-27 01:52:22 UTC
Version:    CrushFTP 10.8.0 build 4
Java:       Temurin JDK 17.0.11+9 (build-time; not bundled)
```

## CVE-2025-31161 Summary

| Field       | Value |
|-------------|-------|
| **CVE**     | [CVE-2025-31161](https://nvd.nist.gov/vuln/detail/CVE-2025-31161) |
| **CVSS**    | 9.8 Critical |
| **CWE**     | CWE-305 |
| **Affected**| CrushFTP 10.0.0–10.8.3, 11.0.0–11.3.0 |
| **Patched** | 10.8.4, 11.3.1 |
| **Vector**  | Unauthenticated auth bypass via malformed `AWS4-HMAC-SHA256` Authorization header |

## Manual Lab Setup

If you're not using Ludus, you can set this up manually:

```bash
# Download the release asset
wget https://github.com/rufflabs/crushftp_cve-2025-31161/releases/download/v10.8.0_4/CrushFTP10_10.8.0_4.zip

# Extract
unzip CrushFTP10_10.8.0_4.zip -d /opt/crushftp
cd /opt/crushftp

# Create admin user
java -jar CrushFTP.jar -a crushadmin Password123

# Start
java -Xmx512m -jar CrushFTP.jar -d
```

Requires JDK 17+. Web interface listens on `:8080` (HTTP) and `:443` (HTTPS).

## References

- [ProjectDiscovery Technical Writeup](https://projectdiscovery.io/blog/crushftp-authentication-bypass)
- [Huntress In-the-Wild Analysis](https://www.huntress.com/blog/crushftp-cve-2025-31161-auth-bypass-and-post-exploitation)
- [Exploit-DB PoC](https://www.exploit-db.com/exploits/52295)
- [Immersive Labs PoC](https://github.com/Immersive-Labs-Sec/CVE-2025-31161)

## License

The CrushFTP software is proprietary and owned by CrushFTP LLC. This
repository hosts a specific build for security research purposes under fair
use. No license is granted for production use of CrushFTP. Visit
[crushftp.com](https://www.crushftp.com/pricing.html) for commercial licensing.