CrushFTP just shipped a patch for CVE-2025-31161: authentication bypass in the WebInterface component, CVSS 9.8, unauthenticated, network-accessible, low complexity. The mechanics are what you’d expect — the session token validation is broken in a way that lets an attacker forge a CrushAuth cookie that the server accepts as belonging to an existing admin session. No credentials required. Full admin on arrival.
That’s the hook. Here’s what I actually want to talk about.
Two Years of Watching This Pattern
MOVEit Transfer. GoAnywhere MFT. Fortra FileCatalyst. Now CrushFTP. If you’ve been paying attention since 2023, you recognize the shape. Managed File Transfer products have become the preferred entry point for financially motivated threat actors, and it’s not a coincidence. There’s a structural argument here that the industry has been avoiding.
Cl0p’s 2023 MOVEit campaign was the signal event. SQL injection, unauthenticated, exploited as a zero-day. Over 2,700 organizations affected — healthcare systems, federal agencies, financial services firms, pension funds. Cl0p’s play wasn’t ransomware in the traditional sense. They didn’t encrypt anything. They exfiltrated everything staged on the server, then threatened to publish it. Estimates on aggregate payouts from that single campaign ran into the hundreds of millions of dollars. From one zero-day. In one product category.
GoAnywhere MFT followed immediately. Pre-auth RCE. Cl0p again. 130+ organizations. Same playbook. FileCatalyst this year — unauthenticated file upload to code execution. Now CrushFTP.
This is not a string of bad luck. This is a target class.
Why MFT Specifically
Work through the logic of what an MFT server actually is from an attacker’s perspective.
MFT sits at the intersection of every sensitive data flow in an organization. HR sends payroll files through it. Finance sends audit materials. Legal sends contract packages. M&A teams transfer deal documents. IT sends backup archives. Everything that needs to move securely across organizational boundaries — to partners, auditors, regulators, clients — goes through MFT. The product is, by design, the aggregation point for an organization’s most sensitive in-transit data.
It has direct access to the data, not just metadata. Admin access to CrushFTP means you can read, download, and delete every file currently staged for transfer. You’re not reading logs of what moved — you’re reading the actual files, right now, as they wait for their recipients.
It’s internet-exposed by design. MFT can’t function if external partners can’t reach it. You can’t put it behind a VPN and still have your auditors at Deloitte pull their files. The attack surface is inherent to the product’s purpose. You can harden it; you can’t hide it.
And critically: it was chronically under-resourced from a security perspective. For years, MFT was “back office infrastructure.” Not the crown jewels. Security investment scales with perceived risk, and the perceived risk of the file transfer appliance in the corner was low. The compliance teams that bought it cared about audit logs and access controls as checkbox items. The security teams that might have scrutinized it weren’t paying attention to it.
That’s the combination Cl0p figured out in 2023: maximum data density, mandatory internet exposure, minimal security investment. The ROI on a single zero-day in this category is extraordinary. And once the economics work, the playbook propagates.
What Full Admin on CrushFTP Actually Gets You
Let’s be specific about what CVE-2025-31161 hands an attacker on a compromised CrushFTP instance.
Every file currently on the server — readable, downloadable, deletable. All user accounts and their stored credentials. Server-side scripting and job execution capabilities, which is your code execution path. Connection configuration to back-end storage: local directories, SMB shares, S3 buckets, SFTP destinations. That’s your lateral movement surface — the MFT server is a hub with spokes into every storage system it connects to. And the audit logs, which can be cleared to complicate forensics and extend attacker dwell time.
CrushFTP is specifically deployed in regulated industries because of its compliance feature list. HIPAA controls, SOX audit trails, FedRAMP-adjacent configurations. That feature list is why it’s in healthcare systems, financial services firms, and government contractors. Those environments are exactly where the data Cl0p and similar actors want is concentrated. The compliance posture is the targeting signal, not a deterrent.
The Silent Patching Problem
CrushFTP initially disclosed this vulnerability only to customers through their portal, without issuing a public CVE. The patch existed. The CVE did not. The broader community — researchers, defenders at non-subscriber organizations, the people running unpatched instances who don’t follow vendor portals closely — had no signal to act on.
This is called silent patching, and for a CVSS 9.8 it’s indefensible. The gap between “patch available” and “CVE published” is a window where defenders don’t know they need to act. Threat actors share intelligence. They find out about patches, reverse-engineer the diff, and weaponize the vulnerability before defenders have been told a vulnerability exists. CrushFTP’s approach prioritizes the appearance of responsible disclosure while structurally benefiting attackers.
The CVE got published after public pressure from researchers. Which is the correct outcome, achieved through the wrong process. Vendors in the MFT space need to understand that for their specific product category — the one that’s been a primary exfiltration vector for two consecutive years — the benefit of the doubt on disclosure practices is gone.
The Industry That’s Still Catching Up
Encrypted backups are a defense against ransomware. They don’t help when the data was exfiltrated from MFT before encryption was ever attempted. That’s the point Cl0p established in 2023 and every subsequent campaign has reinforced: the defense model that most organizations built assumes the attacker wants to encrypt things. The data theft extortion model doesn’t care about your backups.
The organizations running unpatched CrushFTP instances right now are the same organizations that were running unpatched MOVEit in May 2023. Different product, same exposure pattern. Same data sitting on the server. Same internet-facing attack surface. The lesson from the last two years is apparently still not fully priced in.
Patch CrushFTP immediately if you’re running it. Audit what’s currently staged on the server. Review your MFT network topology and figure out what back-end storage it touches. Treat it like the high-value target it is — because that’s how the threat actors have been treating it since Cl0p ran the numbers.
The math on this attack class is not going to change until the ROI does.
PGP signature: crushftp-pre-auth-mft-is-the-target.md.asc — Key fingerprint: 5FD2 1B4F E7E4 A3CA 7971 CB09 DE66 3978 8E09 1026