DISCOVERY DATE: March 21, 2025
CVE ID: CVE-2025-31161
SOFTWARE AFFECTED: CrushFTP (v10 and v11)
EXPLOITED BY: Kill Ransomware Group
INITIAL VECTOR: File Transfer Protocol Exploit
OBJECTIVE: Sensitive Data Exfiltration, Extortion, and Potential Infrastructure Disruption
CISA DEADLINE: Patch Required by April 28, 2025 (Federal Mandate)
A newly weaponized vulnerability in CrushFTP, one of the most widely deployed secure file transfer tools, has triggered urgent advisories from cybersecurity agencies, including the Cybersecurity and Infrastructure Security Agency (CISA). Originally disclosed responsibly by researchers at Outpost24, the flaw—now tracked as CVE-2025-31161—is actively being exploited in the wild by advanced ransomware operators, including the Kill gang, to compromise networks, exfiltrate data, and launch extortion campaigns.
CISA formally added the CVE to its Known Exploited Vulnerabilities Catalog (KEV), mandating that all Federal Civilian Executive Branch (FCEB) agencies patch affected systems by April 28, 2025. The agency flagged the exploit as critical due to its impact on confidentiality, integrity, and availability across sectors ranging from government to commercial enterprise.
“The vulnerability in CrushFTP is under active exploitation. Immediate patching is required,” CISA wrote. “Organizations must prioritize the update to prevent ongoing or imminent ransomware activity targeting unpatched instances.”
WHAT HAPPENED: A Timeline of the CrushFTP Incident
- March 13 – Outpost24 discovers the vulnerability and reports it privately to CrushFTP.
- March 21 – CrushFTP begins alerting customers with instructions to update.
- Late March – An unnamed researcher reverse engineers the patch, publishes the exploit method, and registers their own CVE, exposing the vulnerability prematurely.
- April 8 – CISA issues a formal directive to federal agencies after reports confirm real-world exploitation.
- April 9 – Kill ransomware group claims to have leveraged CVE-2025-31161 to steal “large volumes of sensitive data.”
THREAT LANDSCAPE: What Makes This Different?
This is not just another file transfer tool exploit—this is the next MOVEit, GoAnywhere, or Accellion-style breach waiting to spiral. Threat actors have rapidly incorporated this bug into their toolkits, leveraging its access path to gain footholds in networks, exfiltrate sensitive data, and in some cases, deploy full ransomware payloads.
Cyber defenders from Huntress confirmed exploitation attempts in at least four industries: marketing, retail, semiconductors, and logistics. Observers like Shadowserver and Censys have identified hundreds of internet-facing CrushFTP servers still exposed to the vulnerability.
But as CrushFTP points out, the visible surface may only reflect a portion of reality. Many organizations may have applied temporary mitigations or are sitting behind proxies, skewing scan results and giving a false sense of lowered threat.
TECHNICAL DETAILS (CVE-2025-31161):
- Vulnerability Class: Path traversal & session manipulation
- Access Level Required: Authenticated user or improperly isolated service session
- Potential Impact:
- Privilege escalation
- Remote code execution (RCE)
- File exfiltration
- Session hijacking
Outpost24’s decision to hold the vulnerability for 90 days was undermined when another actor publicized the technical exploit method. This forced the CrushFTP team to accelerate mitigation guidance and release further alerts to all customers.
“Someone else looking for fame reverse engineered our patch, published an exploit, and weaponized the flaw before enterprises could even patch,” said a CrushFTP spokesperson. “That’s not research. That’s enabling criminal behavior.”
CISA’s DIRECTIVE & NEXT STEPS
MANDATORY FOR GOVERNMENT AGENCIES: All federal agencies under FCEB jurisdiction must patch all instances of CrushFTP before April 28, per CISA’s Binding Operational Directive (BOD) 22-01.
RECOMMENDED FOR PRIVATE SECTOR:
- Immediately upgrade to the latest secure version of CrushFTP (v11.1+ recommended).
- If patching is not immediately feasible, apply available configuration-based mitigations from the vendor.
- Monitor server logs for suspicious login behavior or large file transfers.
- Validate that no unapproved users or sessions have been established.
- Use endpoint detection and response (EDR) tools to watch for lateral movement or privilege escalation.
A PATTERN OF EXPLOITATION: File Transfer Tools in the Crosshairs
CrushFTP is just the latest in a string of exploited managed file transfer (MFT) platforms:
- MOVEit (Progress Software): Over 2,000 organizations impacted in 2023.
- GoAnywhere MFT: Led to data breaches at multiple healthcare and financial entities.
- Cleo Integration Cloud: Recently exploited in a breach targeting WK Kellogg.
These attacks aren’t just opportunistic—they’re methodical and coordinated, capitalizing on slow patch cycles, complex deployments, and delayed disclosures. Adversaries are increasingly banking on zero-day windows to turn file transfer software into breach gateways.
BOTTOM LINE: PATCH NOW, OR PAY LATER
The Kill ransomware group has already announced plans to begin extorting victims using data stolen via this CrushFTP exploit. The timeline between disclosure, exploitation, and extortion has now shrunk to mere days—not weeks or months.
This is a call to action. Whether you’re running CrushFTP in a government office, a manufacturing company, or a private datacenter, your window to act is closing. This is not just a file transfer vulnerability. This is an entry point for digital warfare.
Patch. Monitor. Harden. Or prepare for fallout.
Stay informed. Stay protected.
🔥 NOW AVAILABLE! 🔥
📖 INK & FIRE: BOOK 1 📖
A bold and unapologetic collection of poetry that ignites the soul. Ink & Fire dives deep into raw emotions, truth, and the human experience—unfiltered and untamed.
🔥 Kindle Edition 👉 https://a.co/d/9EoGKzh
🔥 Paperback 👉 https://a.co/d/9EoGKzh
🔥 Hardcover Edition 👉 https://a.co/d/0ITmDIB
Get your copy today and experience poetry like never before. #InkAndFire #PoetryUnleashed #FuelTheFire
🚨 NOW AVAILABLE! 🚨
📖 THE INEVITABLE: THE DAWN OF A NEW ERA 📖
A powerful, eye-opening read that challenges the status quo and explores the future unfolding before us. Dive into a journey of truth, change, and the forces shaping our world.
🔥 Kindle Edition 👉 https://a.co/d/0FzX6MH
🔥 Paperback 👉 https://a.co/d/2IsxLof
🔥 Hardcover Edition 👉 https://a.co/d/bz01raP
Get your copy today and be part of the new era. #TheInevitable #TruthUnveiled #NewEra
🚀 NOW AVAILABLE! 🚀
📖 THE FORGOTTEN OUTPOST 📖
The Cold War Moon Base They Swore Never Existed
What if the moon landing was just the cover story?
Dive into the boldest investigation The Realist Juggernaut has ever published—featuring declassified files, ghost missions, whistleblower testimony, and black-budget secrets buried in lunar dust.
🔥 Kindle Edition 👉 https://a.co/d/2Mu03Iu
🛸 Paperback Coming Soon
Discover the base they never wanted you to find. TheForgottenOutpost #RealistJuggernaut #MoonBaseTruth #ColdWarSecrets #Declassified
Help us bring real change! Corporate lobbying has corrupted our system for too long, and it’s time to take action. Please sign and share this petition—your support is crucial in restoring accountability to our government. Every signature counts! Thank you!
https://www.ipetitions.com/petition/restore-our-republic-end-lobbying
Support truth, health, and preparedness by shopping the Alex Jones Store through our link. Every purchase helps sustain independent voices and earns us a 10% share to fuel our mission. Shop now and make a difference!
https://thealexjonesstore.com?sca_ref=7730615.EU54Mw6oyLATer7a
Sponsored • TRJ Ads
Inquiries: contact@therealistjuggernaut.com
