Detection: CrushFTP Authentication Bypass Exploitation

Updated Date: 2025-04-08 ID: 82eb7f64-d219-4e21-acfe-956de84c1a35 Author: Michael Haag, Splunk Type: TTP Product: Splunk Enterprise Security

Description

The following analytic detects potential exploitation of the CrushFTP authentication bypass vulnerability (CVE-2025-31161). This detection identifies suspicious command execution patterns associated with exploitation of this vulnerability, such as executing mesch.exe with specific arguments like b64exec or fullinstall. This activity is indicative of an attacker exploiting CVE-2025-31161 to gain unauthorized access to the CrushFTP server and perform post-exploitation activities.

1`crushftp` 
2| rex field=_raw "\\[HTTP:[^:]+:(?<user>[^:]+):(?<src_ip>[^\\]]+)\\]" 
3| rex field=_raw "cmd:(?<process>[^\\*\\r\\n]+)" 
4| where isnotnull(process) AND (match(process, "mesch\.exe") OR match(process, "b64exec") OR match(process, "fullinstall") OR match(process, "run")) 
5| stats count min(_time) as firstTime max(_time) as lastTime by src_ip, user, process 
6| `security_content_ctime(firstTime)` 
7| `security_content_ctime(lastTime)` 
8| `crushftp_authentication_bypass_exploitation_filter`

Data Source

Name Platform Sourcetype Source
CrushFTP N/A 'crushftp:sessionlogs' 'crushftp'

Macros Used

Name Value
crushftp sourcetype="crushftp:sessionlogs"
crushftp_authentication_bypass_exploitation_filter search *
crushftp_authentication_bypass_exploitation_filter is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

Annotations

- MITRE ATT&CK
+ Kill Chain Phases
+ NIST
+ CIS
- Threat Actors
ID Technique Tactic
T1190 Exploit Public-Facing Application Initial Access
T1059.003 Windows Command Shell Execution
T1059.001 PowerShell Execution
Delivery
Installation
DE.CM
CIS 13

Default Configuration

This detection is configured by default in Splunk Enterprise Security to run with the following settings:

Setting Value
Disabled true
Cron Schedule 0 * * * *
Earliest Time -70m@m
Latest Time -10m@m
Schedule Window auto
Creates Notable Yes
Rule Title %name%
Rule Description %description%
Notable Event Fields user, dest
Creates Risk Event True
This configuration file applies to all detections of type TTP. These detections will use Risk Based Alerting and generate Notable Events.

Implementation

To implement this detection, you need to ingest CrushFTP logs into your Splunk environment. Configure CrushFTP to forward logs to Splunk via a syslog forwarder or direct file monitoring. This detection searches for CrushFTP logs containing suspicious command execution patterns commonly associated with exploitation of the CVE-2025-31161 vulnerability.

Known False Positives

False positives may occur if there are legitimate administrative commands being executed on the CrushFTP server that match the suspicious patterns. Review the commands being executed to determine if the activity is legitimate administrative work or potential malicious activity.

Associated Analytic Story

Risk Based Analytics (RBA)

Risk Message:

Potential CrushFTP authentication bypass exploitation from IP $src_ip$ as user $user$

Risk Object Risk Object Type Risk Score Threat Objects
user user 60 No Threat Objects
src_ip system 80 No Threat Objects

References

Detection Testing

Test Type Status Dataset Source Sourcetype
Validation Passing N/A N/A N/A
Unit Passing Dataset crushftp crushftp:sessionlogs
Integration ✅ Passing Dataset crushftp crushftp:sessionlogs

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

Source: GitHub | Version: 1