CrushFTP Authentication Bypass Exploitation

name: CrushFTP Authentication Bypass Exploitation
id: 82eb7f64-d219-4e21-acfe-956de84c1a35
version: 6
creation_date: '2025-04-14'
modification_date: '2026-05-13'
author: Michael Haag, Splunk
status: production
type: TTP
description: The following analytic detects potential exploitation of the CrushFTP authentication bypass vulnerability (CVE-2025-31161). This detection identifies suspicious command execution patterns associated with exploitation of this vulnerability, such as executing mesch.exe with specific arguments like b64exec or fullinstall. This activity is indicative of an attacker exploiting CVE-2025-31161 to gain unauthorized access to the CrushFTP server and perform post-exploitation activities.
data_source:
    - CrushFTP
search: '`crushftp` | rex field=_raw "\\[HTTP:[^:]+:(?<user>[^:]+):(?<src_ip>[^\\]]+)\\]" | rex field=_raw "cmd:(?<process>[^\\*\\r\\n]+)" | where isnotnull(process) AND (match(process, "mesch\.exe") OR match(process, "b64exec") OR match(process, "fullinstall") OR match(process, "run")) | stats count min(_time) as firstTime max(_time) as lastTime by src_ip, user, process | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `crushftp_authentication_bypass_exploitation_filter`'
how_to_implement: To implement this detection, you need to ingest CrushFTP logs into your Splunk environment. Configure CrushFTP to forward logs to Splunk via a syslog forwarder or direct file monitoring. This detection searches for CrushFTP logs containing suspicious command execution patterns commonly associated with exploitation of the CVE-2025-31161 vulnerability.
known_false_positives: False positives may occur if there are legitimate administrative commands being executed on the CrushFTP server that match the suspicious patterns. Review the commands being executed to determine if the activity is legitimate administrative work or potential malicious activity.
references:
    - https://www.huntress.com/blog/crushftp-cve-2025-31161-auth-bypass-and-post-exploitation
    - https://nvd.nist.gov/vuln/detail/CVE-2025-31161
    - https://www.crushftp.com/crush11wiki/Wiki.jsp?page=Update
drilldown_searches:
    - name: View the detection results for - "$src_ip$"
      search: '%original_detection_search% | search src_ip = "$src_ip$"'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
    - name: View risk events for the last 7 days for - "$src_ip$"
      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_ip$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
      earliest_offset: 7d
      latest_offset: "0"
finding:
    title: Potential CrushFTP authentication bypass exploitation from IP $src_ip$ as user $user$
    entity:
        field: user
        type: user
        score: 50
intermediate_findings:
    entities:
        - field: src_ip
          type: system
          score: 50
          message: Potential CrushFTP authentication bypass exploitation from IP $src_ip$ as user $user$
analytic_story:
    - CrushFTP Vulnerabilities
    - Hellcat Ransomware
asset_type: Web Server
cve:
    - CVE-2025-31161
mitre_attack_id:
    - T1190
    - T1059.003
    - T1059.001
product:
    - Splunk Enterprise
    - Splunk Enterprise Security
    - Splunk Cloud
category: web
security_domain: network
tests:
    - name: True Positive Test
      attack_data:
        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/crushftp/crushftp11_session.log
          sourcetype: crushftp:sessionlogs
          source: crushftp
      test_type: unit