Exploit for Authentication Bypass by Primary Weakness in Crushftp CVE-2025-31161

Name: Exploit for Authentication Bypass by Primary Weakness in Crushftp CVE-2025-31161
Rating: 5 (1 reviews)
2026-06-29 | CVSS 9.8
## https://sploitus.com/exploit?id=983CAFED-3C66-576E-BB1A-B397A3A030D6
# Ansible Role: CrushFTP CVE-2025-31161 ([Ludus](https://ludus.cloud))

An Ansible Role that deploys a vulnerable [CrushFTP 10.8.0](https://www.crushftp.com/) instance on Windows for authorized penetration testing of [CVE-2025-31161](https://nvd.nist.gov/vuln/detail/CVE-2025-31161) (authentication bypass).

The vulnerable CrushFTP binary is hosted at [rufflabs/crushftp_cve-2025-31161](https://github.com/rufflabs/crushftp_cve-2025-31161) and downloaded automatically at deploy time. If that repo is unavailable, the role falls back to pulling directly from Docker Hub.

> [!WARNING]
> This role deploys an **intentionally vulnerable** application.
> Use only in isolated lab environments. Do not expose to untrusted networks.

## Requirements

- Target must be a Windows VM with WinRM enabled.
- The Ludus host needs outbound HTTPS to GitHub and `api.adoptium.net` on first deploy (files are cached after that).

## Role Variables

Available variables are listed below, along with default values (see `defaults/main.yml`):

```yaml
# GitHub Release URL for the vulnerable CrushFTP build
ludus_crushftp_download_url: "https://github.com/rufflabs/crushftp_cve-2025-31161/releases/download/v10.8.0_4/CrushFTP10_10.8.0_4.zip"

# Fall back to Docker Hub if GitHub download fails
ludus_crushftp_fallback_to_docker: true

# Installation path on the Windows target
ludus_crushftp_install_dir: "C:\\CrushFTP"

# Admin account (default exploit target for CVE-2025-31161)
ludus_crushftp_admin_user: "crushadmin"
ludus_crushftp_admin_password: "CrushAdmin123!"

# Windows service settings
ludus_crushftp_service_name: "CrushFTP"
ludus_crushftp_service_start_mode: auto

# Network ports
ludus_crushftp_http_port: 8080
ludus_crushftp_https_port: 443

# Create Windows Firewall allow rules
ludus_crushftp_configure_firewall: true
```

## Dependencies

None.

## Example Ludus Range Config

```yaml
ludus:
  - vm_name: "{{ range_id }}-crushftp"
    hostname: "{{ range_id }}-CRUSH"
    template: win2022-server-x64-template
    vlan: 20
    ip_last_octet: 10
    ram_gb: 4
    cpus: 2
    windows:
      sysprep: true
    roles:
      - rufflabs.ludus_crushftp_cve_2025_31161
    role_vars:
      ludus_crushftp_admin_user: "crushadmin"
      ludus_crushftp_admin_password: "CrushAdmin123!"
```

## Ludus Usage

```bash
# Add the role
ludus ansible role add rufflabs.ludus_crushftp_cve_2025_31161

# Update your range config
ludus range config get > config.yml
# Edit config.yml to add the role (see example above)
ludus range config set -f config.yml

# Deploy (role only, if range is already up)
ludus range deploy -t user-defined-roles
```

## Example Standalone Playbook

```yaml
- hosts: crushftp_hosts
  roles:
    - rufflabs.ludus_crushftp_cve_2025_31161
```

## Testing the Exploit

Once deployed, test from your attack VM:

```bash
# Nuclei detection
nuclei -u http://:8080 -t CVE-2025-2825.yaml

# Immersive Labs PoC (creates a backdoor admin account)
python3 cve-2025-31161.py \
  --target_host http://:8080 \
  --target_user crushadmin \
  --new_user backdoor \
  --password backdoor123
```

## How It Works

1. **Download** — Fetches `CrushFTP10_10.8.0_4.zip` from `rufflabs/crushftp_cve-2025-31161` GitHub Releases (falls back to Docker Hub registry API if unavailable). Downloads Adoptium JDK 21. Both cached on the Ludus host at `/opt/ludus/resources/crushftp/`.
2. **Install** — Copies cached files to the Windows target, extracts CrushFTP and JDK.
3. **Configure** — Creates the `crushadmin` account, installs the Windows service, sets `JAVA_HOME`, and opens firewall ports.

## Related Repositories

| Repository | Purpose |
|------------|---------|
| [rufflabs/crushftp_cve-2025-31161](https://github.com/rufflabs/crushftp_cve-2025-31161) | Hosts the vulnerable CrushFTP binary as a GitHub Release asset |
| [rufflabs/ludus_crushftp_cve-2025-31161](https://github.com/rufflabs/ludus_crushftp_cve-2025-31161) | This role — Ansible/Ludus automation for deployment |

## References

- [NVD: CVE-2025-31161](https://nvd.nist.gov/vuln/detail/CVE-2025-31161)
- [ProjectDiscovery Writeup](https://projectdiscovery.io/blog/crushftp-authentication-bypass)
- [Huntress Analysis](https://www.huntress.com/blog/crushftp-cve-2025-31161-auth-bypass-and-post-exploitation)
- [Exploit-DB PoC](https://www.exploit-db.com/exploits/52295)
- [Immersive Labs PoC](https://github.com/Immersive-Labs-Sec/CVE-2025-31161)

## License

MIT

## Author Information

This role was created by [rufflabs](https://github.com/rufflabs), for [Ludus](https://ludus.cloud/).