icon

Digital safety starts here for both commercial and personal Use...

Defend Your Business Against the Latest WNY Cyber Threats We offer Safe, Secure and Affordable Solutions for your Business and Personal Networks and Devices.



WNYCyber is there to help you to choose the best service providers in Western New York... We DO NOT provide the services ourselves, as we are Internet Programmers who have to deak daily with Cyber Threats... (Ugghhh)... So we know what it's like and what it takes to protect OUR and OUR CUSTOMERS DATA... We built this Website to help steer you to those that can give you the best service at realistic and non-inflated prices. We do charge or collect any fees.

Buffalo, New York
United States

Current Threat Data

CISA Warns of CrushFTP Vulnerability Exploitation in the Wild - Conflicting Disclosure

Summary:

CISA has added CVE-2025-31161 to their known exploited vulnerability (KEV) database. CrushFTP contains an authentication bypass vulnerability in the HTTP authorization header that allows a remote unauthenticated attacker to authenticate to any known or guessable user account (e.g., crushadmin), potentially leading to a full compromise.

This addition comes on the heels of a controversial disclosure of the vulnerability by two different entities.

Security Officer Comments:

We have been warning about this vulnerability since last week. Ransomware groups like CL0P have historically targeted similar vulnerabilities in the past to steal sensitive data from victims. The dangers of this vulnerability were compounded when Outpost24 responsibly disclosed the vulnerability as CVE-2025-31161, and VulnCheck independently posted their own CVE-2025-2825, which included a working proof-of-concept. This conflicting disclosure created confusion for users, and will likely accelerate exploitation.

VulnCheck’s uncoordinated disclosure enabled threat actors to weaponize the flaw weeks before the embargo ended, leading to widespread attacks. Shadowserver observed exploitation within 48 hours of the PoC release.

Timeline of Events:

  • March 21, 2025:
    • Outpost24 discovers the flaw and coordinates with MITRE and CrushFTP under a 90-day embargo (CVE-2025-31161).
    • CrushFTP releases patches (v10.8.4, v11.3.1) but withholds technical details.
  • March 26, 2025:
    • VulnCheck independently assigns CVE-2025-2825 without coordination, publishing a PoC exploit.
  • March 28, 2025:
    • Shadowserver Foundation reports 1,512 unpatched instances under attack via CVE-2025-2825.
  • April 3, 2025:
    • MITRE rejects CVE-2025-2825, finalizing CVE-2025-31161 as the official identifier.


Suggested Corrections:

  • Patch Immediately:
    • Upgrade to CrushFTP versions 10.8.4 or 11.3.1 to address the vulnerability.
  • Temporary Workaround:
    • Enable DMZ perimeter network settings if patching is not immediately feasible.
  • Monitor Systems:
    • Look for signs of unauthorized access or unusual HTTP requests.


Link(s):
https://www.cisa.gov/known-exploited-vulnerabilities-catalog

Contact Us for Threat Assistance
Back to Current Threats