A critical vulnerability in CrushFTP's file transfer server software has come under attack less than a week after the flaw was assigned a CVE.
The vulnerability, tracked as CVE-2025-2825, allows attackers to bypass authentication and gain port access to the file transfer server. The flaw received a CVSS score of 9.8 because it can be remotely executed and is easy to exploit, according to security researchers.
In an X post on Monday, the Shadowserver Foundation said it observed exploitation attempts based on a publicly available proof of concept (PoC) exploit. Shadowserver's data showed 1,512 unpatched CrushFTP instances vulnerable to CVE-2025-2825 as of March 30; that number fell from approximately 1,800 unpatched servers on March 28.
According to Shadowserver's report, the majority of exploitation attempts originate from IP addresses in Asia, with a small number coming from Europe and North America.
Cybersecurity firm ProjectDiscovery published technical details and a PoC on March 28. The company noted that because of its low complexity and network attack vector, CVE-2025-2825 could have a severe impact on organizations.
Ben Spink, CEO of CrushFTP, told Cybersecurity Dive that the company has received a few reports of customer compromises via the authentication bypass flaw.
Disclosure questions, confusion
CrushFTP first informed customers of the vulnerability privately via email on March 21, according to Rapid7. The company later published a security advisory of a flaw that allowed unauthenticated HTTP(S) port access to CrushFTP v10-v11 CrushFTP. The advisory, which did not contain a CVE, urged customers to upgrade to v11.3.1 immediately.
However, Rapid7 noted a discrepancy between the email notification to customers and the public advisory. "Few details were provided by the vendor, and there was some confusion around affected versions; the initial email only stated that v11 < 11.3.1 was vulnerable, while the advisory page stated that v10 < 10.8.4 was also vulnerable," Rapid7 said in its technical analysis.
The vulnerability was assigned a CVE on March 26. However, CrushFTP's advisory page still lacks a CVE or any additional details about the authentication bypass vulnerability.
Adding to the confusion is CrushFTP’s Spink’s assertion that the real CVE for the authentication bypass flaw is CVE-2025-31161, which currently does not have an entry in either NIST’s National Vulnerability Database or Mitre’s CVE.org.
In an email to Cybersecurity Dive, Spink explained that cybersecurity vendor Outpost24 discovered and reported the vulnerability. However, he said another cybersecurity company created the confusion by “taking credit for something they didn't discover” and assigning a different CVE to the same vulnerability before CrushFTP was able to fully disclose it publicly.
“We were trying to get people to start updating as urgently as possible ... before the details of the exploit were released,” Spink wrote.
He also said “most” v10 versions and all v11 versions of CrushFTP are affected by the flaw. “At the time of the email, we believed it was only v11. Shortly (few minutes) after the email we realized even some v10 were affected, and we updated the page to indicate this and have been telling people both were affected,” Sprink wrote.
File transfer products and services have been heavily targeted in recent years by a variety of threat actors, including ransomware gangs. In fact, a CrushFTP zero-day vulnerability, tracked as CVE-2024-4040, came under attack almost one year ago.