CrushFTP: Patch critical vulnerability ASAP! (CVE-2025-2825)
CrushFTP has fixed a critical vulnerability (CVE-2025-2825) in its enterprise file transfer solution that could be exploited by remote, unauthenticated attackers to access vulnerable internet-facing servers (and likely the data stored on them).
Attackers, especially ransomware gangs, have a penchant for leveraging 0-day and n-day vulnerabilities in MOVEit Transfer, Cleo, Citrix ShareFile, and other enterprise-grade file transfer and sharing solutions.
Attackers have been known to exploit previous CrushFTP vulnerabilities, but there is currently no evidence of this latest one being under active exploitation, nor reports of a public proof-of-concept exploit.
About CVE-2025-2825
“The bottom line of this vulnerability is that an exposed HTTP(S) port could lead to unauthenticated access. The vulnerability is mitigated If you have the DMZ feature of CrushFTP in place,” the company stated in an email sent to customers on Friday.
In it, the company’s support team stated that the vulnerability affects all CrushFTP v11 versions, but the NVD CVE entry confims that “CrushFTP versions 10.0.0 through 10.8.3 and 11.0.0 through 11.3.0 are affected.”
CrushFTP has released v11.2.3 and 10.8.3 to address this vulnerability and urged customers to upgrade their server instances as soon as possible. They also reiterated that, if immediate upgrading is not possible, enabling CrushFTP’s DMZ feature will act as mitigation against attacks.
Limiting access to CrushFTP servers – i.e., making them inaccessible from the internet – is also a good idea, if your use case allows it.
UPDATE (March 28, 2025, 09:00 a.m. ET):
“CrushFTP users should check session logs for successful authentication attempts from unknown sources for default CrushFTP accounts, such as ‘crushadmin’ and ‘anonymous.’ Session logs can typically be found under the “session_logs” folder in CrushFTP’s root logging directory,” Horizon3.ai researchers advised.
“Given past exploitation of CrushFTP in the wild, we expect to see activity surrounding this vulnerability over the coming days. If you’re a CrushFTP user, we encourage you to apply patches as soon as possible.”
UPDATE (March 28, 2025, 09:30 a.m. ET):
The Shadowserver Foundation says there are currently around 1800 unpatched internet-facing CrushFTP instances worldwide that are likely vulnerable to CVE-2025-2825. Most of them are located in North America and Europe.