Critical Vulnerability in CrushFTP Under Attack, Exposing Thousands of File Servers

A newly discovered critical vulnerability in CrushFTP’s file transfer server software is currently under active attack, raising serious concerns over the security of systems running the product. The flaw, designated as CVE-2025-2825, enables attackers to bypass authentication and gain access to affected servers, earning it a high severity rating with a CVSS score of 9.8.

The vulnerability was privately disclosed to CrushFTP customers on March 21 and quickly became a target for malicious actors. According to an X post by the Shadowserver Foundation on Monday, exploitation attempts were observed using a publicly available proof-of-concept exploit. As of March 30, Shadowserver’s data indicated that 1,512 unpatched CrushFTP instances remained vulnerable—down from roughly 1,800 reported on March 28—with the majority of attacks originating from IP addresses in Asia, and smaller numbers from Europe and North America.

Cybersecurity firm ProjectDiscovery released technical details and a PoC on March 28, warning that the flaw’s low complexity and remote network attack vector could have severe consequences for organizations relying on the software. Ben Spink, CEO of CrushFTP, confirmed that the company has already received reports of customer compromises linked to the authentication bypass flaw.

However, confusion remains over the disclosure details. Rapid7 noted discrepancies between the initial private email sent to customers and the later public advisory. The email initially indicated that CrushFTP v11 versions below 11.3.1 were vulnerable, while the advisory also included certain v10 versions, specifically those below v10.8.4. The vulnerability was officially assigned a CVE on March 26, but CrushFTP’s advisory page has not yet been updated with complete details or a consistent CVE identifier.

Adding to the complexity, Spink asserted that the true CVE for the authentication bypass issue should be CVE-2025-31161—a designation not yet listed in either NIST’s National Vulnerability Database or Mitre’s CVE.org. In an email to Cybersecurity Dive, Spink explained that while the flaw was discovered and reported by cybersecurity vendor Outpost24, another firm prematurely assigned a different CVE to the same vulnerability, causing further confusion.

“We were trying to get people to start updating as urgently as possible… before the details of the exploit were released,” Spink wrote, adding that both most v10 versions and all v11 versions of CrushFTP are affected by the flaw. “At the time of the email, we believed it was only v11. Shortly after, we realized even some v10 were affected, and we updated the page accordingly.”

This incident is the latest in a series of targeted attacks on file transfer products and services, which have become prime targets for a range of threat actors, including ransomware gangs. Nearly a year ago, a CrushFTP zero-day vulnerability (CVE-2024-4040) was also exploited in the wild.

Organizations using CrushFTP are urged to apply updates immediately and monitor their systems closely for any signs of compromise. As details continue to emerge, cybersecurity experts emphasize the need for prompt action to mitigate the risk posed by this critical flaw.

Photo Credit: DepositPhotos.com