TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Huntress

CrushFTP CVE-2025-31161 Auth Bypass and Post-Exploitation

2025-04-04 · Read original ↗

ATT&CK techniques detected

16 predictions
T1219Remote Access Tools
98%
"##mp \ msiinstall. exe - - install " c : \ windows \ temp \ anydesk " - - silent " cmd. exe / c " echo licence _ key123 | " c : \ windows \ temp \ anydesk \ anydesk. exe " - - register - licence " cmd. exe / c " echo anydesk @ 123 | " c : \ windows \ temp \ anydesk \ anydesk. exe…"
T1190Exploit Public-Facing Application
97%
"crushftp cve - 2025 - 31161 auth bypass and post - exploitation updated 04 / 08 / 2025 @ 3pm et tl ; dr : cve - 2025 - 31161 is a critical severity vulnerability allowing attackers to control how user authentication is handled by crushftp managed file transfer ( mft ) software. w…"
T1190Exploit Public-Facing Application
97%
"and 10. 8. 4 +. huntress has validated and confirmed the authentication bypass is prevented in patched versions. please ensure your own installations of crushftp are updated to the latest versions. if your crushftp instance is publicly exposed to the open internet, we strongly re…"
T1219Remote Access Tools
92%
"in further details in the following sections. huntress has seen exploitation of cve - 2025 - 31161 across five distinct hosts from five different companies. three of these companies were hosted by the same msp. the types of companies affected ranged from marketing, retail, and se…"
T1190Exploit Public-Facing Application
89%
"##ftp was published as cve - 2025 - 2825 on march 26. before the publication of this post on april 3, the nist national vulnerability database entry for cve - 2025 - 2825 was updated to reflect that the cve was rejected, and is a reservation duplicate of cve - 2025 - 31161. speci…"
T1564.003Hidden Window
85%
"( ' win - console ' ). hide ( ) ; require ( ' win - dispatcher ' ). connect ( ' 3530 ' ) ; on other detected endpoints, the meshagent post - exploitation installation was identical to the above, but on another endpoint, the base64 string decoded to : require ( ' win - console ' )…"
T1078.003Local Accounts
76%
"new admin account to use as a persistent backdoor : there are a few things to call out in the log excerpt above : - note the first two lines, which match the pattern of our recreated poc artifacts - - and the observed adversary ip address, 172. 235. 144 [. ] 67. - they leverage t…"
T1219Remote Access Tools
76%
"including 146. 70. 166 [. ] 201 used for uploading storm. exe and 143. 244. 47 [. ] 67 for deleting storm. exe and then for uploading mx. exe. what is huntress doing? post - exploitation efforts are already thoroughly covered by huntress detection rules. in response to these intr…"
T1204.002Malicious File
63%
"see threat actors targeting the crushftp flaw. on april 7, a threat actor was observed exploiting a vulnerable instance of crushftp ( version 10 ) in order to install the simplehelp rmm on a host as a persistence mechanism. figure 7 : the threat actor ’ s post - exploitation acti…"
T1059.001PowerShell
54%
"the defender exclusions list for the directory before re - uploading mx. exe, in a bid for defense evasion that we have previously outlined. we see this through the following command : powershell - exec bypass - enc = = the base64 string in the above command decodes to : add - mp…"
T1055.001Dynamic-link Library Injection
54%
"1ab5a915e306686a1c7bebd03563a977 ( " / windows / temp / d3d11. dll " 4358656 ) stor * after meshagent ’ s installation, another dll was pulled onto the host. while we didn ’ t observe execution of this dll we can gain some high level insight from it. it ’ s a large c + + binary t…"
T1219.002Remote Desktop Software
50%
"in further details in the following sections. huntress has seen exploitation of cve - 2025 - 31161 across five distinct hosts from five different companies. three of these companies were hosted by the same msp. the types of companies affected ranged from marketing, retail, and se…"
T1204.002Malicious File
39%
"_ resume _ loc : 0 * read : * c2f : odaj * wrote : * 150 opening binary data connection. ready to write file / windows / temp / mesch. exe. s t o r * wrote : * http / 1. 1 200 ok *... read : * post / webinterface / function / http / 1. 1 * read : * user - agent : mozilla / 5. 0 (…"
T1204.002Malicious File
37%
"including 146. 70. 166 [. ] 201 used for uploading storm. exe and 143. 244. 47 [. ] 67 for deleting storm. exe and then for uploading mx. exe. what is huntress doing? post - exploitation efforts are already thoroughly covered by huntress detection rules. in response to these intr…"
T1210Exploitation of Remote Services
36%
"in further details in the following sections. huntress has seen exploitation of cve - 2025 - 31161 across five distinct hosts from five different companies. three of these companies were hosted by the same msp. the types of companies affected ranged from marketing, retail, and se…"
T1078.001Default Accounts
33%
"address > : < ephemeral - port > post | < timestamp > | [ http : 1 _ < ephemeral - port > : crushadmin : < attacker - ip - address > ] wrote : * http / 1. 1 200 ok * bear in mind, this is only a test of bypassing authentication to act as the crushadmin user - - follow - on exploi…"

Summary

Huntress observed in-the-wild exploitation of CVE-2025-31161, an authentication bypass vulnerability in versions of CrushFTP and further post-exploitation leveraging MeshCentral and other malware.