LoFP / false positives may occur if there are legitimate administrative commands being executed on the crushftp server that match the suspicious patterns. review the commands being executed to determine if the activity is legitimate administrative work or potential malicious activity.

Techniques

• T1059.001
• T1059.003
• T1190

Sample rules

CrushFTP Authentication Bypass Exploitation

• source: splunk
• technicques:
  • T1190
  • T1059.003
  • T1059.001

Description

The following analytic detects potential exploitation of the CrushFTP authentication bypass vulnerability (CVE-2025-31161). This detection identifies suspicious command execution patterns associated with exploitation of this vulnerability, such as executing mesch.exe with specific arguments like b64exec or fullinstall. This activity is indicative of an attacker exploiting CVE-2025-31161 to gain unauthorized access to the CrushFTP server and perform post-exploitation activities.

Detection logic

`crushftp` 
| rex field=_raw "\\[HTTP:[^:]+:(?<user>[^:]+):(?<src_ip>[^\\]]+)\\]" 
| rex field=_raw "cmd:(?<process>[^\\*\\r\\n]+)" 
| where isnotnull(process) AND (match(process, "mesch\.exe") OR match(process, "b64exec") OR match(process, "fullinstall") OR match(process, "run")) 
| stats count min(_time) as firstTime max(_time) as lastTime by src_ip, user, process 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `crushftp_authentication_bypass_exploitation_filter`