Intel Name: Suspicious crushftp child process
Date of Scan: April 22, 2025
Impact: Medium
Summary: Identifies unusual child processes initiated by the CrushFTP service, potentially signaling exploitation of remote code execution flaws like CVE-2025-31161, which allows RCE via crafted HTTP requests. The detection targets frequently misused Windows executables (e.g., powershell.exe, cmd.exe) often leveraged by attackers for executing malicious commands after gaining access.
