Suspicious CrushFTP Child Process
Detects suspicious child processes spawned by the CrushFTP service that may indicate exploitation of remote code execution vulnerabilities such as CVE-2025-31161, where attackers can achieve RCE through crafted HTTP requests. The detection focuses on commonly abused Windows executables (like powershell.exe, cmd.exe etc.) that attackers typically use post-exploitation to execute malicious commands.
Sigma rule (View on GitHub)
1title: Suspicious CrushFTP Child Process
2id: 459628e3-1b00-4e9b-9e5b-7da8961aea35
3status: experimental
4description: |
5 Detects suspicious child processes spawned by the CrushFTP service that may indicate exploitation of remote code execution vulnerabilities such as
6 CVE-2025-31161, where attackers can achieve RCE through crafted HTTP requests.
7 The detection focuses on commonly abused Windows executables (like powershell.exe, cmd.exe etc.) that attackers typically use post-exploitation to execute malicious commands.
8references:
9 - https://nvd.nist.gov/vuln/detail/CVE-2025-2825
10 - https://www.crushftp.com/crush11wiki/Wiki.jsp?page=Update
11 - https://outpost24.com/blog/crushftp-auth-bypass-vulnerability/
12 - https://attackerkb.com/topics/k0EgiL9Psz/cve-2025-2825/rapid7-analysis
13 - https://projectdiscovery.io/blog/crushftp-authentication-bypass
14author: Craig Sweeney, Matt Anderson, Jose Oregon, Tim Kasper, Faith Stratton, Samantha Shaw, Swachchhanda Shrawan Poudel (Nextron Systems)
15date: 2025-04-10
16tags:
17 - attack.initial-access
18 - attack.execution
19 - attack.t1059.001
20 - attack.t1059.003
21 - attack.t1190
22 - cve.2025-31161
23 - detection.emerging-threats
24logsource:
25 category: process_creation
26 product: windows
27detection:
28 selection_parent:
29 ParentImage|endswith: '\crushftpservice.exe'
30 selection_child:
31 Image|endswith:
32 - '\bash.exe'
33 - '\cmd.exe'
34 - '\cscript.exe'
35 - '\mshta.exe'
36 - '\powershell.exe'
37 - '\powershell_ise.exe'
38 - '\pwsh.exe'
39 - '\sh.exe'
40 - '\wscript.exe'
41 condition: all of selection_*
42falsepositives:
43 - Legitimate CrushFTP administrative actions
44 - Software updates
45level: medium
References
-
Changed Description CrushFTP versions 10.0.0 through 10.8.3 and 11.0.0 through 11.3.0 are affected by a vulnerability in the S3 authorization header processing that allows authentication bypass. Re...
Read More -
Automated Updating# Setting the flag "daily_check_and_auto_update_on_idle" to true in prefs.XML of CrushFTP v11.2.3_19+ will do automated daily checks and updates. Update Bug on Windows# Some versi...
Read More -
Learn how the CrushFTP vulnerability works, how our analysts found it, and the timeline of events around disclosure.
Read More -
Update (April 21, 2025): The CVE originally referenced in this blog post CVE-2025-2825 has been rejected by NIST. The vulnerability is now officially tracked as CVE-2025-31161. All technical details and the impact discussed in this post remain accurate and apply to the updated CVE. This change is also reflected in the corresponding Nuclei template update. Enterprise file transfer solutions are critical infrastructure for many organizations, facilitating secure data exchange between systems and
Read More
Related rules
- Exploited CVE-2020-10189 Zoho ManageEngine
- Potential APT FIN7 Exploitation Activity
- CVE-2023-22518 Exploitation Attempt - Suspicious Confluence Child Process (Linux)
- CVE-2023-22518 Exploitation Attempt - Suspicious Confluence Child Process (Windows)
- Potential CVE-2022-22954 Exploitation Attempt - VMware Workspace ONE Access Remote Code Execution