Unauthenticated Access Vulnerability in CrushFTP by CrushFTP, Inc.
CVE-2025-2825
Key Information:
Badges
What is CVE-2025-2825?
CVE-2025-2825 is a vulnerability found in CrushFTP, a file transfer protocol server developed by CrushFTP, Inc. This software is designed for secure file transfer and management, commonly used in business environments for sharing files over the internet. The vulnerability allows for unauthenticated access through remote HTTP requests, which means that attackers could potentially exploit this flaw to gain unauthorized entry into systems running affected versions. This unauthorized access can pose serious risks to organizations, including data breaches and disruption of operations.
Technical Details
The vulnerability affects CrushFTP versions 10.0.0 through 10.8.3 and 11.0.0 through 11.3.0. It allows attackers to make remote and unauthenticated HTTP requests that can lead to unauthorized access to the system. The flaw arises from insufficient access controls within the CrushFTP software, enabling potential intrusions without the need for valid credentials. Organizations using these versions of CrushFTP should be particularly cautious, as the flaw does not require any authentication, making it easier for attackers to exploit.
Potential impact of CVE-2025-2825
-
Unauthorized Access: The primary impact of this vulnerability is the ability for attackers to gain unauthorized access to sensitive files and data stored on the CrushFTP server. This could lead to data leakage or theft, compromising sensitive business information.
-
Data Breaches: With unrestricted access, malicious actors could not only view but also potentially modify or delete critical files, leading to extensive data compromise that could be detrimental to a company’s operations and reputation.
-
Operational Disruption: The exploitation of this vulnerability could also result in operational disruptions, as attackers may seek to manipulate file transfers or exploit the server for further malicious activities, ultimately affecting business continuity and service delivery.
Affected Version(s)
CrushFTP 11.0.0 < 11.3.1
CrushFTP 10.0.0 < 10.8.4
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
Get notified when SecurityVulnerability.io launches alerting 🔔
Well keep you posted 📧
News Articles
CrushFTP Exploitation Continues Amid Disclosure Dispute
Attacks on a critical authentication bypass flaw in CrushFTP's file transfer product continue this week after duplicate CVEs sparked confusion.
3 weeks ago
Disclosure Drama Clouds CrushFTP Vulnerability Exploitation
CrushFTP CEO Ben Spink slammed several cybersecurity companies for creating confusion around a critical authentication bypass flaw that's currently under attack.
4 weeks ago
Two CVEs, One Critical Flaw: Inside the CrushFTP Vulnerability Controversy
Two CVEs now exist for an actively exploited CrushFTP vulnerability and much of the security industry is using the ‘wrong one’.
4 weeks ago
References
EPSS Score
5% chance of being exploited in the next 30 days.
CVSS V3.1
Timeline
- 🥇
Vulnerability reached the number 1 worldwide trending spot
- 💰
Used in Ransomware
- 📈
Vulnerability started trending
- 👾
Exploit known to exist
- 📰
First article discovered by Help Net Security
- 🟡
Public PoC available
Vulnerability published
Vulnerability Reserved