icon

Digital safety starts here for both commercial and personal Use...

Defend Your Business Against the Latest WNY Cyber Threats We offer Safe, Secure and Affordable Solutions for your Business and Personal Networks and Devices.



WNYCyber is there to help you to choose the best service providers in Western New York... We DO NOT provide the services ourselves, as we are Internet Programmers who have to deak daily with Cyber Threats... (Ugghhh)... So we know what it's like and what it takes to protect OUR and OUR CUSTOMERS DATA... We built this Website to help steer you to those that can give you the best service at realistic and non-inflated prices. We do charge or collect any fees.

Buffalo, New York
United States

Current Threat Data

Two CVEs, One Critical Flaw: Inside the CrushFTP Vulnerability Controversy

Summary:
A critical vulnerability (CVE-2025-31161) in CrushFTP versions 10 and 11, allowing for remote authentication bypass and admin access, was disclosed privately to customers on March 21st. Outpost24, the discoverer, had initiated a responsible disclosure process with MITRE, aiming for a 90-day embargo to prevent malicious exploitation. However, VulnCheck, a CNA, independently assigned CVE-2025-2825 five days following disclosure, leading to confusion and conflicting CVE referencing. This independent assignment of the flaw to CVE-2025-2825 attracted attention to it and accelerated public awareness, with security firms releasing technical details and PoC exploit code, leading to rapid exploitation attempts observed by Shadowserver. Despite patches and workarounds being available, hundreds of vulnerable CrushFTP instances remain, including over 500 in the US. The exact impact following CVE-2025-31161 exploitation and privilege escalation to administrator, beyond potential data access, is still under investigation. CrushFTP has criticized and blamed the security firms that released technical details and PoC exploit code for the rapid exploitation of this flaw.

Security Officer Comments:
The CrushFTP vulnerability incident highlights the complexities and potential pitfalls of vulnerability disclosure and CVE assignment. The decision by VulnCheck to assign a CVE, while within their rights as a CNA, demonstrates the conflicting nature of rapid vulnerability disclosure and responsible disclosure practices. The fact that MITRE's delayed assignment of CVE-2025-31161 created a conflict, further exacerbated by the rapid release of PoC exploits, underscores the need for clearer communication and coordination between the cybersecurity community and government agencies. CrushFTP's criticism of security firms, while understandable from a vendor's perspective, also raises questions about the balance between transparency and the potential for rapid exploitation of n-day vulnerabilities. The ongoing exploitation, despite available patches, emphasizes the importance of timely patching and the persistent risk posed by unpatched systems, as vulnerable instances dropped significantly following patch release. The lack of clarity on the attackers' objectives signifies the need for continued monitoring and investigation to fully understand the scope and impact of this vulnerability, but should the community prioritize transparency or responsible disclosure practices?

Suggested Corrections:
Users should immediately be patching to CrushFTP versions 10.8.4 or 11.3.1 and later. There are already cases of this vulnerability being exploited in the wild by remote attackers. If it’s not possible to immediately patch, enabling the DMZ perimeter network option can serve as a workaround.

Link(s):
https://www.securityweek.com/details-emerge-on-cve-controversy-around-exploited-crushftp-vulnerability/

https://outpost24.com/blog/crushftp-auth-bypass-vulnerability/

Contact Us for Threat Assistance
Back to Current Threats