Name:CrushFTP Authentication Bypass Exploitation id:82eb7f64-d219-4e21-acfe-956de84c1a35 version:1 date:2025-04-08 author:Michael Haag, Splunk status:production type:TTP Description:The following analytic detects potential exploitation of the CrushFTP authentication bypass vulnerability (CVE-2025-31161). This detection identifies suspicious command execution patterns associated with exploitation of this vulnerability, such as executing mesch.exe with specific arguments like b64exec or fullinstall. This activity is indicative of an attacker exploiting CVE-2025-31161 to gain unauthorized access to the CrushFTP server and perform post-exploitation activities. Data_source:
-CrushFTP
search:`crushftp` | rex field=_raw "\\[HTTP:[^:]+:(?<user>[^:]+):(?<src_ip>[^\\]]+)\\]" | rex field=_raw "cmd:(?<process>[^\\*\\r\\n]+)" | where isnotnull(process) AND (match(process, "mesch\.exe") OR match(process, "b64exec") OR match(process, "fullinstall") OR match(process, "run")) | stats count min(_time) as firstTime max(_time) as lastTime by src_ip, user, process | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `crushftp_authentication_bypass_exploitation_filter`
how_to_implement:To implement this detection, you need to ingest CrushFTP logs into your Splunk environment. Configure CrushFTP to forward logs to Splunk via a syslog forwarder or direct file monitoring. This detection searches for CrushFTP logs containing suspicious command execution patterns commonly associated with exploitation of the CVE-2025-31161 vulnerability. known_false_positives:False positives may occur if there are legitimate administrative commands being executed on the CrushFTP server that match the suspicious patterns. Review the commands being executed to determine if the activity is legitimate administrative work or potential malicious activity. References: -https://www.huntress.com/blog/crushftp-cve-2025-31161-auth-bypass-and-post-exploitation -https://nvd.nist.gov/vuln/detail/CVE-2025-31161 -https://www.crushftp.com/crush11wiki/Wiki.jsp?page=Update drilldown_searches: name:'View the detection results for - "$src_ip$"' search:'%original_detection_search% | search src_ip = "$src_ip$"' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' name:'View risk events for the last 7 days for - "$src_ip$"' search:'| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_ip$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' tags: analytic_story: - 'CrushFTP Vulnerabilities' asset_type:Web Server mitre_attack_id: - 'T1190' - 'T1059.003' - 'T1059.001' product: - 'Splunk Enterprise' - 'Splunk Enterprise Security' - 'Splunk Cloud' security_domain:network cve: - 'CVE-2025-31161'
