Active Exploitation of File Transfer Vulnerabilities

Threat actors are actively exploiting two critical vulnerabilities in CrushFTP and Gladinet’s CentreStack and Triofox products, leading to data exfiltration and extortion. CrushFTP, a managed file transfer solution, is vulnerable to an authentication bypass vulnerability designated CVE-2025-31161. The flaw is simple to exploit, and public exploit code is readily available, increasing risk for organizations that use the platform. Meanwhile, Gladinet’s CentreStack and Triofox products, both file-sharing and remote access platforms, are impacted by a critical remote code execution (RCE) vulnerability stemming from a hardcoded key in its configuration. This flaw (CVE-2025-30406) allows attackers to forge payloads and execute arbitrary code on the server.
 

What’s Notable and Unique

• CVE-2025-31161 is a critical vulnerability affecting CrushFTP v10 and v11 and allows unauthenticated attackers to temporarily authenticate as any user, including administrators, leading to full server compromise. Over 1,500 vulnerable instances have been exposed, and as of April 10, 2025, approximately 440 organizations in North America remain vulnerable.
• After exploiting the CrushFTP vulnerability, threat actors often install remote monitoring and management (RMM) tools like AnyDesk and MeshAgent before harvesting credentials. When certain threat actors exploit the vulnerability, they also install a Telegram bot to exfiltrate telemetry from infected hosts.
• CVE-2025-30406 is a deserialization vulnerability in CentreStack and Triofox caused by the use of a hardcoded or weakly protected ‘machineKey’ in the IIS ‘web.config’ file, which secures ASP.NET ViewState data. If an attacker can obtain or predict this key, they can forge ViewState payloads that pass integrity checks and trigger deserialization, potentially resulting in remote code execution.
• Upon successful exploitation, threat actors often deploy a malicious executable, install the MeshCentral remote access tool, and conduct lateral movement within the network. The vulnerable Triofox product is commonly used by managed service providers (MSPs), posing a serious threat to MSPs and their customers.

 

Analyst Comments

 
Overlaps in post-exploit techniques of CVE-2025-30406 (CentreStack and Triofox) and CVE-2025-31161 (CrushFTP), indicate potentially coordinated threat activity or shared attacker infrastructure. Threat actors have installed MeshCentral and used IP address 2.58.56[.]16 for post-exploitation communication in incidents after the exploit of both vulnerabilities. However, based on observed behavior and the ease of exploitation, multiple threat actors are likely exploiting these vulnerabilities. At least one threat actor, KillSec, has publicly claimed exploitation and exfiltration by leveraging the CrushFTP vulnerability. Arete has observed other threat actors extort victims after allegedly exploiting the CrushFTP vulnerability.
 
The CrushFTP vulnerability has been exploited since March 31, 2025, so any organizations using a vulnerable version of CrushFTP that have not updated should assess for potential unauthorized access and exfiltration. Organizations using a vulnerable version of CrushFTP can take two actions to remediate the vulnerability: upgrade to version 10.8.4 or version 11.3.1 or enable a DMZ proxy instance. Applying the patch will not remove the access of any threat actors who have already exploited the vulnerability and created a new valid user account for the application. For organizations affected by the CentreStack and Triofox vulnerability, an updated version was released by the company that resolves the vulnerability and generates a new machine key.
 

Sources

• CrushFTP auth bypass vulnerability: Disclosure mess leads to attacks
• CVE-2025-30406 – Critical Gladinet CentreStack & Triofox Vulnerability Exploited In The Wild
• RCE flaw in MSP-friendly file sharing platform exploited by attackers (CVE-2025-30406)