A critical vulnerability, designated CVE-2025-2825, has been identified in CrushFTP versions 10.0.0 through 10.8.3 and 11.0.0 through 11.3.0. This flaw permits unauthenticated attackers to bypass authentication mechanisms via exposed HTTP(S) ports, potentially granting unauthorized access to affected servers.
The vulnerability was privately disclosed to CrushFTP customers on March 21, 2025, urging immediate updates to versions 10.8.4 or 11.3.1. Despite these advisories, as of March 30, approximately 1,500 internet-facing CrushFTP instances remained unpatched and vulnerable.
Exploitation attempts have been observed, with attackers leveraging publicly available proof-of-concept (PoC) exploit code. The Shadowserver Foundation reported that most of these attempts originate from IP addresses in Asia, with fewer from Europe and North America.
The disclosure process for CVE-2025-2825 has been marked by confusion. CrushFTP initially informed customers of the vulnerability without assigning a CVE number, leading to discrepancies in affected version reporting. Subsequently, the vulnerability was assigned CVE-2025-2825, though CrushFTP’s CEO later indicated that the correct identifier should be CVE-2025-31161, causing further uncertainty.
To mitigate the risk associated with this vulnerability, CrushFTP users should promptly update to the patched versions. If immediate updating is not feasible, enabling CrushFTP’s DMZ feature can serve as a temporary safeguard. Additionally, restricting internet access to CrushFTP servers is advisable where possible.
InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot | Comprehensive vCISO Services | ISMS Services | Security Risk Assessment Services
