Unauthenticated Access Vulnerability in CrushFTP by CrushFTP, Inc.
CVE-2025-2825

9.8CRITICAL

Key Information:

Vendor
Crushftp
Status
Vendor
CVE Published:
26 March 2025

Badges

🥇 Trended No. 1📈 Trended📈 Score: 6,600💰 Ransomware👾 Exploit Exists🟡 Public PoC📰 News Worthy

What is CVE-2025-2825?

CVE-2025-2825 is a vulnerability found in CrushFTP, a file transfer protocol server developed by CrushFTP, Inc. This software is designed for secure file transfer and management, commonly used in business environments for sharing files over the internet. The vulnerability allows for unauthenticated access through remote HTTP requests, which means that attackers could potentially exploit this flaw to gain unauthorized entry into systems running affected versions. This unauthorized access can pose serious risks to organizations, including data breaches and disruption of operations.

Technical Details

The vulnerability affects CrushFTP versions 10.0.0 through 10.8.3 and 11.0.0 through 11.3.0. It allows attackers to make remote and unauthenticated HTTP requests that can lead to unauthorized access to the system. The flaw arises from insufficient access controls within the CrushFTP software, enabling potential intrusions without the need for valid credentials. Organizations using these versions of CrushFTP should be particularly cautious, as the flaw does not require any authentication, making it easier for attackers to exploit.

Potential impact of CVE-2025-2825

  1. Unauthorized Access: The primary impact of this vulnerability is the ability for attackers to gain unauthorized access to sensitive files and data stored on the CrushFTP server. This could lead to data leakage or theft, compromising sensitive business information.

  2. Data Breaches: With unrestricted access, malicious actors could not only view but also potentially modify or delete critical files, leading to extensive data compromise that could be detrimental to a company’s operations and reputation.

  3. Operational Disruption: The exploitation of this vulnerability could also result in operational disruptions, as attackers may seek to manipulate file transfers or exploit the server for further malicious activities, ultimately affecting business continuity and service delivery.

Affected Version(s)

CrushFTP 11.0.0 < 11.3.1

CrushFTP 10.0.0 < 10.8.4

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

News Articles

CrushFTP Exploitation Continues Amid Disclosure Dispute

Attacks on a critical authentication bypass flaw in CrushFTP's file transfer product continue this week after duplicate CVEs sparked confusion.

3 weeks ago

Disclosure Drama Clouds CrushFTP Vulnerability Exploitation

CrushFTP CEO Ben Spink slammed several cybersecurity companies for creating confusion around a critical authentication bypass flaw that's currently under attack.

4 weeks ago

Two CVEs, One Critical Flaw: Inside the CrushFTP Vulnerability Controversy

Two CVEs now exist for an actively exploited CrushFTP vulnerability and much of the security industry is using the ‘wrong one’.

4 weeks ago

References

EPSS Score

5% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • 🥇

    Vulnerability reached the number 1 worldwide trending spot

  • 💰

    Used in Ransomware

  • 📈

    Vulnerability started trending

  • 👾

    Exploit known to exist

  • 📰

    First article discovered by Help Net Security

  • 🟡

    Public PoC available

  • Vulnerability published

  • Vulnerability Reserved

.