Cybersecurity firm Huntress has shared details on the post-exploitation activities seen in the attacks leveraging the recently disclosed CrushFTP vulnerability.
The vulnerability, discovered by researchers at security firm Outpost24, is tracked as CVE-2025-31161 and it allows an attacker to bypass authentication and gain access to a system.
Its disclosure has been shrouded in controversy, with developers of the enterprise file transfer solution blaming security firms for the quick in-the-wild exploitation of the flaw.
Huntress has been seeing attacks exploiting the CrushFTP vulnerability since March 30. Initially, threat actors appeared to be testing access, but the security firm later started observing post-exploitation activity aimed at setting up persistent access to targeted hosts.
The attacks seen by Huntress were aimed at four companies, including three that were hosted by the same MSP. The targets were firms in the marketing, retail, and semiconductor sectors.
In one instance, Huntress saw the attackers installing the legitimate AnyDesk remote desktop application. The hackers then dumped SAM and System registry hives to collect credentials.
In other attacks, threat actors deployed MeshAgent, an open source remote monitoring tool. Just like AnyDesk, MeshAgent is a legitimate tool known to have been abused by malicious actors.
The analysis of a DLL file delivered following the MeshAgent installation suggested that the attackers are using a Telegram bot to collect telemetry from compromised hosts.
Huntress has not shared any information on who may be behind these attacks, but it did provide indicators of compromise (IoCs) to help organizations detect and block attacks. Since the company blocked the attacks, it’s unclear what the hackers’ ultimate goal was, but the theft of sensitive information is often an objective in such campaigns.
According to data from the Shadowserver Foundation, the number of exploitation attempts has decreased, and so has the number of vulnerable internet-exposed systems.
Patches for the security hole were announced on March 21. However, several days after disclosure, a CVE was still not assigned and vulnerability intelligence firm VulnCheck assigned CVE-2025-2825 to make it easier for companies to track.
MITRE, which had been asked by Outpost24 to assign a CVE on March 13, issued CVE-2025-31161 on March 27, but by that time much of the industry had started using CVE-2025-2825.
CrushFTP developers were unhappy with VulnCheck’s decision to assign a CVE, noting that it drew more attention to the vulnerability, which led to the release of technical details and PoC exploits, and ultimately its in-the-wild exploitation.
In the National Vulnerability Database (NVD), CVE-2025-2825 was initially assigned to the flaw, but that CVE has since been rejected and the issue is now officially tracked as CVE-2025-31161.
CISA on Monday added CVE-2025-31161 to its Known Exploited Vulnerabilities (KEV) catalog, urging organizations to take action to prevent exploitation.
Related: NIST Puts Pre-2018 CVEs on Back Burner as It Works to Clear Backlog
Related: Critical Apache Parquet Vulnerability Leads to Remote Code Execution
Related: Halo ITSM Vulnerability Exposed Organizations to Remote Hacking
