Unauthenticated Access Vulnerability in CrushFTP by CrushFTP, Inc.
CVE-2025-2825
Key Information:
- Vendor
- Crushftp
- Status
- Crushftp
- Vendor
- CVE Published:
- 26 March 2025
Badges
What is CVE-2025-2825?
CVE-2025-2825 is a vulnerability found in CrushFTP, a file transfer protocol server developed by CrushFTP, Inc. This software is designed for secure file transfer and management, commonly used in business environments for sharing files over the internet. The vulnerability allows for unauthenticated access through remote HTTP requests, which means that attackers could potentially exploit this flaw to gain unauthorized entry into systems running affected versions. This unauthorized access can pose serious risks to organizations, including data breaches and disruption of operations.
Technical Details
The vulnerability affects CrushFTP versions 10.0.0 through 10.8.3 and 11.0.0 through 11.3.0. It allows attackers to make remote and unauthenticated HTTP requests that can lead to unauthorized access to the system. The flaw arises from insufficient access controls within the CrushFTP software, enabling potential intrusions without the need for valid credentials. Organizations using these versions of CrushFTP should be particularly cautious, as the flaw does not require any authentication, making it easier for attackers to exploit.
Potential impact of CVE-2025-2825
-
Unauthorized Access: The primary impact of this vulnerability is the ability for attackers to gain unauthorized access to sensitive files and data stored on the CrushFTP server. This could lead to data leakage or theft, compromising sensitive business information.
-
Data Breaches: With unrestricted access, malicious actors could not only view but also potentially modify or delete critical files, leading to extensive data compromise that could be detrimental to a companyโs operations and reputation.
-
Operational Disruption: The exploitation of this vulnerability could also result in operational disruptions, as attackers may seek to manipulate file transfers or exploit the server for further malicious activities, ultimately affecting business continuity and service delivery.
Affected Version(s)
CrushFTP 11.0.0 < 11.3.1
CrushFTP 10.0.0 < 10.8.4
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
Get notified when SecurityVulnerability.io launches alerting ๐
Well keep you posted ๐ง
News Articles
Attackers are targeting CrushFTP vulnerability with public PoC (CVE-2025-2825) - Help Net Security
Exploitation attempts targeting the CVE-2025-2825 vulnerability on internet-facing CrushFTP instances are happening.
2 days ago
CrushFTP CVE-2025-2825 flaw actively exploited in the wild
Attackers exploit CrushFTP CVE-2025-2825 flaw, enabling unauthenticated access to unpatched devices using public proof-of-concept code.
2 days ago
Critical auth bypass bug in CrushFTP now exploited in attacks
Attackers are now targeting a critical authentication bypass vulnerability in the CrushFTP file transfer software using exploits based on publicly available proof-of-concept code.
2 days ago
References
EPSS Score
15% chance of being exploited in the next 30 days.
CVSS V3.1
Timeline
- ๐ฐ
Used in Ransomware
- ๐
Vulnerability started trending
- ๐พ
Exploit known to exist
- ๐ฐ
First article discovered by Help Net Security
- ๐ก
Public PoC available
Vulnerability published
Vulnerability Reserved