Critical auth bypass bug in CrushFTP now exploited in attacks

April 1, 2025

CrushFTP

Attackers are now targeting a critical authentication bypass vulnerability in the CrushFTP file transfer software using exploits based on publicly available proof-of-concept code.

The security vulnerability (CVE-2025-2825) was reported by Outpost24, and it allows remote attackers to gain unauthenticated access to devices running unpatched CrushFTP v10 or v11 software.

"Please take immediate action to patch ASAP. The bottom line of this vulnerability is that an exposed HTTP(S) port could lead to unauthenticated access," CrushFTP warned in an email sent to customers on Friday, March 21, when it released patches to address the security flaw.

As a workaround, admins who can't immediately update CrushFTP 10.8.4 and later or 11.3.1 and later can enable the DMZ (demilitarized zone) perimeter network option to protect their CrushFTP servers until they can patch.

A week later, security threat monitoring platform Shadowserver warned that its honeypots detected dozens of exploitation attempts targeting Internet-exposed CrushFTP servers, with over 1,500 vulnerable instances exposed online.

The warning comes days after ProjectDiscovery published a write-up containing CVE-2025-2825 technical details and a proof-of-concept exploit.

"We are observing CrushFTP CVE-2025-2825 exploitation attempts based on publicly available PoC exploit code," Shadowserver said on Monday. "Still 1512 unpatched instances vulnerable to CVE-2025-2825 seen on 2025-03-30."

*Vulnerable CrushFTP servers exposed online (Shadowserver)*

File transfer products such as CrushFTP are high on ransomware gangs' list of targets, specifically Clop, which has been linked to data theft attacks targeting zero-day flaws in Accelion FTA, MOVEit Transfer, GoAnywhere MFT, and, most recently, Cleo software.

One year ago, in April 2024, CrushFTP patched an actively exploited zero-day vulnerability (tracked as CVE-2024-4040) that let unauthenticated attackers escape the user's virtual file system (VFS) and download system files.

At the time, cybersecurity company CrowdStrike found evidence that the campaign targeting CrushFTP servers at multiple U.S. organizations was likely politically motivated and focused on intelligence-gathering.

The Cybersecurity and Infrastructure Security Agency (CISA) also added CVE-2024-4040 to its Known Exploited Vulnerabilities catalog, ordering federal agencies to secure vulnerable systems on their networks within a week.

CrushFTP customers were also warned to patch a critical remote code execution bug (CVE-2023-43177) in the company's enterprise suite in November 2023 after Converge security researchers (who discovered and reported the flaw) released a proof-of-concept exploit three months after security updates were released.