Attackers are targeting CrushFTP vulnerability with public PoC (CVE-2025-2825)

Exploitation attempts targeting the CVE-2025-2825 vulnerability on internet-facing CrushFTP instances are happening, the Shadowserver Foundation has shared on Monday, and the attackers have been leveraging publicly available PoC exploit code.

What can be done?

CVE-2025-2825, affecting CrushFTP versions 10.0.0 through 10.8.3 and 11.0.0 through 11.3.0, is an authentication bypass vulnerability that may allow unauthenticated attackers to access CrushFTP servers through an exposed HTTP(S) port.

The vulnerability was privately disclosed to CrushFTP customers via email on March 21. The missive did not include a CVE number for the flaw, and said that it only affected version 11 of the solution.

Subsequently, CrushFTP confirmed in a security advisory that the vulnerability also affected v10, and that it cannot be exploited if the DMZ proxy instance of CrushFTP is in place.

Other than confirming that the vulnerability was responsibly disclosed and they had no indication that it was being actively exploited, the company has declined to share more details.

Since then, several security companies have released a technical analysis of the vulnerability and a proof-of-concept exploit (PoC) for it, which the attackers have now started using.

According to Shadowserver, there are still around 1,500 internet-facing, unpatched instances vulnerable to CVE-2025-2825 out there.

To plug the hole, they should be updated to v10.8.4 or v11.3.1. Those who haven’t done it by now should check if their installation has been accessed by attackers. Rapid7 has shared possible indicators of compromise.

CVE confusion

As it happens, the CrushFTP’s security advisories for version 11 and 10 didn’t list the flaw’s CVE number until today, and the changelog for CrushFTP v11.3.1 – which includes the fix – still doesn’t.

But the company’s CEO has taken umbrage at vulnerability intelligence firm VulnCheck – which is a CVE Numbering Authority – for having assigned a CVE for it.

“The real CVE is pending,” the CrushFTP CEO told Jacob Baines, VulnCheck’s CTO, last week.

This Monday, the company revealed to SecurityWeek that the actual CVE for the vulnerability is CVE-2025-31161 and was discovered and disclosed by researchers with Outpost24.

CVE numbers are essential for tracking vulnerabilities because they provide a standardized way to identify and talk about specific security flaws across different tools, platforms, and teams, so VulnCheck’s action is understandable.

The public entry for CVE-2025-2825 will now likely be deleted, and CVE-2025-31161 will likely be used as the reference for this bug going forward. However, this unnecessary confusion could have been easily avoided if CrushFTP had mentioned from the start that they were waiting for a CVE number to be assigned.

UPDATE (April 7, 2025, 05:30 a.m. ET):

Huntress researchers have observed in-the-wild exploitation of CVE-2025-31161 on four hosts from four different companies, and have revealed that the attackers are leveraging the access obtained through it to:

• Install a malicious AnyDesk RMM instance, dump the SAM and System registry hives to harvest credentials
• Deploy MeshAgent – agent software for the legitimate open source remote monitoring platform MeshCentral – for remote access functionalities (sending commands, maintaining persistence, etc.)
• Deploy a Telegram bot (likelty to collect telemetry from infected hosts).