CrushFTP issues advisory for Unauthenticated Access Vulnerability, patch now!
Take action: If you are running CrushFTP, this is an urgent advisory. Patch your server IMMEDIATELY. If you can't patch, activate the DMZ perimeter network feature until you are able to apply the patches. This flaw is going to be attacked by hackers in the next few days if it hasn't been already.
Learn More
CrushFTP has released an urgent security advisory warning customers about a critical vulnerability that allows unauthenticated access to servers exposed to the internet via HTTP(S) ports.
The flaw is tracked as CVE-2025-2825 (CVSS score 9.8) and it affects CrushFTP servers with exposed HTTP(S) ports, enabling attackers to gain unauthorized access without authentication.
The flaw was then re-taggeg as CVE-2025-31161 (official) / CVE-2025-2825 (duplicate) because of bungled reporting.
While the initial customer email indicated that only CrushFTP v11 versions were affected, a subsequent advisory clarified that both CrushFTP v10 and v11 are vulnerable to this security issue. A formal CVE identifier for this vulnerability is pending.
CrushFTP has already released patches to address this vulnerability. Users are advised to:
- Update immediately to CrushFTP v11.3.1 or later
- For users of CrushFTP 10, update to 10.8.4 or later
- As a temporary workaround, enable the DMZ (demilitarized zone) perimeter network feature, which mitigates the vulnerability until patching is possible
According to Shodan data, over 3,400 CrushFTP instances currently have their web interfaces exposed online, potentially making them targets for attacks.It's not clear how many of these instances have already been patched against this vulnerability.
The company is strongly urging all users to patch their systems immediately to prevent potential exploitation.
