Cybersecurity firm Huntress has reported ongoing attacks exploiting a recently disclosed vulnerability in CrushFTP, a popular enterprise file transfer solution, reports SecurityWeek. Tracked as CVE-2025-31161, the flaw allows attackers to bypass authentication and gain unauthorized access to systems. The vulnerability, discovered by researchers at Outpost24, has drawn attention due to the speed at which it was exploited in the wild following its disclosure. The incident has sparked controversy, with CrushFTP developers criticizing the early release of technical details and the assignment of a CVE, which they believe accelerated exploitation efforts.
According to Huntress, exploitation attempts have been observed since March 30. Initial activity suggested reconnaissance, but attackers soon escalated to post-exploitation techniques aimed at establishing persistent access. Targets included four organizations across marketing, retail, and semiconductor industries—three of which were hosted by the same managed service provider (MSP). In these cases, attackers used legitimate tools like AnyDesk and MeshAgent to maintain access and collect credentials by dumping system registry hives.
The attackers' tactics included using a Telegram bot to receive telemetry from compromised machines, as revealed through analysis of malicious DLL files deployed alongside MeshAgent. Although Huntress has not attributed the attacks to a specific threat actor, the company shared indicators of compromise (IoCs) to assist defenders in identifying and blocking malicious activity. The exact motives behind the campaign remain unclear, though data theft is a likely objective given the nature of the tools and techniques used.
The vulnerability disclosure process has faced criticism for its handling. Initially assigned CVE-2025-2825 by VulnCheck due to delays, the flaw was officially designated CVE-2025-31161 by MITRE on March 27—after many in the industry had already adopted the alternate identifier. The National Vulnerability Database has since rejected the former CVE. As exploitation attempts continue, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-31161 to its Known Exploited Vulnerabilities (KEV) catalog, urging organizations to apply patches released on March 21 and secure their systems against further compromise.
