Critical Auth Bypass Bug in CrushFTP Now Exploited in Attacks
Summary:
Attackers are actively exploiting a critical authentication bypass vulnerability in CrushFTP file transfer software, tracked as CVE-2025-2825. This flaw, discovered and reported by Outpost24, affects unpatched versions 10 and 11 of CrushFTP and allows remote attackers to gain unauthenticated access to the system. The vulnerability is particularly dangerous when HTTPs ports are exposed to the internet. On March 21, CrushFTP released security patches and urgently warned customers via email to patch their systems immediately, emphasizing the high risk of compromise.
Despite the release of patches and guidance, exploitation attempts have already begun. A week after the initial advisory, Shadowserver, a cybersecurity threat monitoring platform reported observing dozens of exploitation attempts targeting publicly accessible CrushFTP servers. As of March 30, more than 1,500 vulnerable instances were still exposed online. These attacks escalated shortly after ProjectDiscovery published a detailed technical analysis and released publicly available proof-of-concept exploit code.
Security Officer Comments:
CrushFTP servers are often attractive targets due to the sensitive nature of the data they manage, including financial records, proprietary files, and login credentials. Organizations relying on these systems are at heightened risk of data theft, lateral movement, or ransomware deployment if compromised. The public availability of exploit code makes CVE-2025-2825 particularly urgent, as both financially motivated cybercriminals and advanced persistent threat actors could use it to gain initial access into enterprise environments.
Suggested Corrections:
For organizations unable to patch right away, CrushFTP recommended enabling the DMZ perimeter network setting as a temporary workaround to reduce exposure.
Link(s):
https://www.bleepingcomputer.com/ne...ass-bug-in-crushftp-now-exploited-in-attacks/
https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-2825
https://projectdiscovery.io/blog/crushftp-authentication-bypass
Attackers are actively exploiting a critical authentication bypass vulnerability in CrushFTP file transfer software, tracked as CVE-2025-2825. This flaw, discovered and reported by Outpost24, affects unpatched versions 10 and 11 of CrushFTP and allows remote attackers to gain unauthenticated access to the system. The vulnerability is particularly dangerous when HTTPs ports are exposed to the internet. On March 21, CrushFTP released security patches and urgently warned customers via email to patch their systems immediately, emphasizing the high risk of compromise.
Despite the release of patches and guidance, exploitation attempts have already begun. A week after the initial advisory, Shadowserver, a cybersecurity threat monitoring platform reported observing dozens of exploitation attempts targeting publicly accessible CrushFTP servers. As of March 30, more than 1,500 vulnerable instances were still exposed online. These attacks escalated shortly after ProjectDiscovery published a detailed technical analysis and released publicly available proof-of-concept exploit code.
Security Officer Comments:
CrushFTP servers are often attractive targets due to the sensitive nature of the data they manage, including financial records, proprietary files, and login credentials. Organizations relying on these systems are at heightened risk of data theft, lateral movement, or ransomware deployment if compromised. The public availability of exploit code makes CVE-2025-2825 particularly urgent, as both financially motivated cybercriminals and advanced persistent threat actors could use it to gain initial access into enterprise environments.
Suggested Corrections:
For organizations unable to patch right away, CrushFTP recommended enabling the DMZ perimeter network setting as a temporary workaround to reduce exposure.
Link(s):
https://www.bleepingcomputer.com/ne...ass-bug-in-crushftp-now-exploited-in-attacks/
https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-2825
https://projectdiscovery.io/blog/crushftp-authentication-bypass