Security Update Released for CrushFTP
CrushFTP has released a security update addressing a critical vulnerability that could lead to unauthorised access via remote and unauthenticated HTTP requests
Summary
CrushFTP has released a security update addressing a critical vulnerability that could lead to unauthorised access via remote and unauthenticated HTTP requests
Affected platforms
The following platforms are known to be affected:
Threat details
Exploitation of CVE-2025-2825
A public proof-of-concept exploit is available for CVE-2025-2825 and exploitation has been reported in the wild. The NHS England National CSOC assesses that continued exploitation of this vulnerability is considered highly likely.
Introduction
A vulnerability has been disclosed in CrushFTP, a file server supporting standard secure file transfer protocols, after being discovered by a security researcher.
The vulnerability designated as CVE-2025-2825 is a critical 'improper authentication' vulnerability with a CVSSv3 score of 9.8. Successful exploitation could allow an unauthenticated attacker to craft remote and unauthenticated HTTP requests to CrushFTP, which could lead to unauthorised access.
Note: The vulnerability is not exploitable if organisations have implemented the demilitarised zone (DMZ) function of CrushFTP.
Threat updates
| Date | Update |
|---|---|
| 2 Apr 2025 | Exploitation of CVE-2025-2825 |
| 1 Apr 2025 | Proof-of-Concept exploit released for CVE-2025-2825 |
| 27 Mar 2025 | Vulnerability has been designated as CVE-2025-2825 |
Remediation advice
Affected organisations are encouraged to review the latest CrushFTP release notes and update CrushFTP to version 11.3.1 (or above) as soon as practicable.
Definitive source of threat updates
Last edited: 2 April 2025 1:30 pm