Cybersecurity firm Huntress has provided new insights into the post-exploitation activities observed in attacks leveraging the recently disclosed vulnerability in enterprise file transfer solution CrushFTP.
The vulnerability, now tracked as CVE-2025-31161, allows attackers to bypass authentication and gain unauthorized access to targeted systems.
The flaw was first uncovered by researchers at Outpost24 and disclosed to the public, but the revelation caused an outcry from developers of CrushFTP who have blamed security firms for the disclosure claiming that it led to a rush of in-the-wild attacks.
Huntress, which began observing exploitation attempts on March 30, noted that the initial wave of attacks appeared to be testing access to systems. However, the activity soon escalated to more significant post-exploitation actions aimed at establishing persistent access.
Huntress tracked multiple attacks that targeted four companies, three of which were hosted by the same Managed Service Provider (MSP). These organizations spanned various industries, including marketing, retail, and semiconductor sectors. According to Huntress, the attackers were particularly focused on setting up mechanisms for long-term control over the compromised systems.
One of the most notable tactics employed by the threat actors was the installation of legitimate remote access tools. In one case, the attackers deployed AnyDesk, a widely-used remote desktop application, to facilitate ongoing access to the system. Additionally, the attackers dumped SAM (Security Accounts Manager) and System registry hives to collect user credentials.
In other incidents, Huntress observed the deployment of the open-source remote monitoring tool MeshAgent. Analysis of a malicious DLL file that followed the MeshAgent installation revealed that the attackers were using a Telegram bot to collect telemetry data from the compromised hosts, furthering their post-exploitation efforts.
Data from the Shadowserver Foundation shows that, as of March 30, approximately 1,500 vulnerable instances of CrushFTP were publicly exposed to the internet.
CVE-2025-31161 was officially issued by MITRE on March 27 after a request from Outpost24. However, prior to this, vulnerability intelligence firm VulnCheck, had assigned an unofficial CVE identifier (CVE-2025-2825) to the flaw, allowing companies to track the issue more effectively. It should be noted, that the CVE-2025-2825 identifier has since been marked as rejected in the National Vulnerability Database (NVD) list.
This week,, the Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-31161 to its Known Exploited Vulnerabilities (KEV) catalog, urging organizations to patch their systems to prevent further exploitation.
