Cybersecurity firm Huntress has revealed details regarding the post-exploitation activities associated with a significant vulnerability in CrushFTP, a widely used enterprise file transfer solution. The vulnerability, tracked as CVE-2025-31161, allows attackers to bypass authentication and gain unauthorized access to systems, raising concerns about potential data breaches.
Discovered by researchers at Outpost24, the vulnerability’s disclosure has generated considerable controversy within the cybersecurity community. Developers of CrushFTP have attributed the rapid exploitation of the flaw to security firms, stirring debate over responsibility and response timing. Since March 30, Huntress has reported ongoing attacks leveraging this vulnerability, initially observing threat actors testing their access.
As investigations progressed, Huntress documented troubling post-exploitation activities aimed at establishing persistent access to compromised systems. Targeting four companies, including three hosted by a single Managed Service Provider (MSP), the attackers infiltrated sectors such as marketing, retail, and semiconductors. In one reported instance, the installation of the legitimate remote desktop application AnyDesk was identified, which was used to dump critical registry hives to gather credentials.
Further scrutiny revealed the deployment of MeshAgent, an open-source remote monitoring tool also frequently misused by malicious actors. Analysis of a suspicious DLL file associated with MeshAgent installation suggested that attackers employed a Telegram bot to collect telemetry data from the compromised hosts. While Huntress has yet to disclose the identities of those behind these attacks, they have issued indicators of compromise (IoCs) to aid organizations in detection and prevention.
According to data from the Shadowserver Foundation, attempts to exploit the vulnerability have decreased, as have the numbers of vulnerable internet-exposed systems. Following the disclosure, patches were issued on March 21, yet it wasn’t until March 27 that MITRE officially assigned the CVE-2025-31161 identifier after the community generated confusion over multiple CVE references.
In response to the growing threat, CISA has added CVE-2025-31161 to its Known Exploited Vulnerabilities (KEV) catalog, urging organizations to bolster their defenses against this serious risk. The evolving situation highlights the importance of collaborative industry response to vulnerabilities, as well as the need for organizations to stay vigilant in protecting their digital infrastructures.