Critical vulnerability in CrushFTP actively exploited
Take action: If you are running CrushFTP, this is an urgent advisory. Patch your server IMMEDIATELY. You are already under attack. If you can't patch, activate the DMZ perimeter network feature until you are able to apply the patches.
Learn More
The critical vulnerability in CrushFTP's file transfer server software has been actively exploited less than a week after receiving an official CVE designation.
The flaw is tracked as CVE-2025-2825 (CVSS score 9.8) and allows attackers to bypass authentication and gain unauthorized port access to file transfer servers. The flaw was then re-taggeg as CVE-2025-31161 (official) / CVE-2025-2825 (duplicate) because of bungled reporting.
The authentication bypass vulnerability affects:
- "Most" versions of CrushFTP v10
- All versions of CrushFTP v11 prior to v11.3.1
The Shadowserver Foundation reported on Monday that it had observed exploitation attempts based on a publicly available proof-of-concept (PoC) exploit. According to their data, 1,512 unpatched CrushFTP instances remained vulnerable as of March 30, 2025, down from approximately 1,800 on March 28.
Exploitation attempts primarily originate from IP addresses in Asia, with a smaller number coming from Europe and North America.
