CVE-2025-2825
CrushFTP Unauthenticated Remote Access Vulnerability
Description
CrushFTP versions 10.0.0 through 10.8.3 and 11.0.0 through 11.3.0 are affected by a vulnerability that may result in unauthenticated access. Remote and unauthenticated HTTP requests to CrushFTP may allow attackers to gain unauthorized access.
INFO
Published Date :
March 26, 2025, 4:15 p.m.
Last Modified :
March 28, 2025, 5:15 p.m.
Source :
[email protected]
Remotely Exploitable :
Yes !
Impact Score :
5.9
Exploitability Score :
3.9
References to Advisories, Solutions, and Tools
Here, you will find a curated list of external links that provide in-depth
information, practical solutions, and valuable tools related to
CVE-2025-2825.
We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).
Results are limited to the first 15 repositories due to potential performance issues.
The following list is the news that have been mention
CVE-2025-2825 vulnerability anywhere in the article.
-
BleepingComputer
Critical auth bypass bug in CrushFTP now exploited in attacks
Attackers are now targeting a critical authentication bypass vulnerability in the CrushFTP file transfer software using exploits based on publicly available proof-of-concept code. The security vulnera ... Read more
-
Cyber Security News
CrushFTP Vulnerability Exploited in Attacks Following PoC Release
Security researchers have confirmed active exploitation attempts targeting the critical authentication bypass vulnerability in CrushFTP (CVE-2025-2825) following the public release of proof-of-concept ... Read more
-
Cyber Security News
CrushFTP Vulnerability Exploited to Gain Full Server Access
A critical vulnerability (CVE-2025-2825) in CrushFTP, a widely used enterprise file transfer solution, allows attackers to bypass authentication and gain unauthorized server access. The vulnerability, ... Read more
-
The Hacker News
⚡ Weekly Recap: Chrome 0-Day, IngressNightmare, Solar Bugs, DNS Tactics, and More
Threat Intelligence / Cybersecurity Every week, someone somewhere slips up—and threat actors slip in. A misconfigured setting, an overlooked vulnerability, or a too-convenient cloud tool becomes the p ... Read more
-
Daily CyberSecurity
CrushFTP Hacked: Exploit CVE-2025-2825 with PoC and Nuclei Template
ProjectDiscovery has published a technical breakdown of CVE-2025-2825, a critical authentication bypass flaw in CrushFTP—a widely used enterprise-grade file transfer server. The vulnerability, affecti ... Read more
-
Daily CyberSecurity
CVE-2025-22398: Dell Unity Hit by 9.8 CVSS Root-Level Command Injection Flaw
Dell has released a security update for Unity OS version 5.4 and earlier, addressing a set of critical vulnerabilities that expose the popular enterprise storage systems—Unity, UnityVSA, and Unity XT— ... Read more
-
Help Net Security
Week in review: Chrome sandbox escape 0-day fixed, Microsoft adds new AI agents to Security Copilot
Here’s an overview of some of last week’s most interesting news, articles, interviews and videos: Microsoft’s new AI agents take on phishing, patching, alert fatigue Microsoft is rolling out a new gen ... Read more
-
The Register
CrushFTP CEO's feisty response to VulnCheck's CVE for critical make-me-admin bug
CrushFTP's CEO is not happy with VulnCheck after the CVE numbering authority (CNA) released an unofficial ID for the critical vulnerability in its file transfer tech disclosed almost a week ago. Accor ... Read more
-
Help Net Security
CrushFTP: Patch critical vulnerability ASAP! (CVE-2025-2825)
CrushFTP has fixed a critical vulnerability (CVE-2025-2825) in its enterprise file transfer solution that could be exploited by remote, unauthenticated attackers to access vulnerable internet-facing s ... Read more
-
Cybersecurity News
Millions at Risk: PoC Exploit Releases for Vite Arbitrary File Read Flaw (CVE-2025-30208)
Vite, the blazing-fast frontend build tool that powers millions of modern web applications, has been found vulnerable to a file access control bypass flaw that could expose arbitrary file contents to ... Read more
-
Cybersecurity News
CVE-2025-2825: Critical Vulnerability in CrushFTP Exposes Servers to Unauthenticated Access Risk
Admins urged to patch immediately as CrushFTP discloses high-severity flaw impacting versions 10 and 11.A new high-severity vulnerability has been disclosed in CrushFTP, a widely used secure file tran ... Read more
The following table lists the changes that have been made to the
CVE-2025-2825 vulnerability over time.
Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.
-
CVE Modified by af854a3a-2127-422b-91ae-364da2661108
Mar. 28, 2025
Action Type Old Value New Value Added Reference https://projectdiscovery.io/blog/crushftp-authentication-bypass -
CVE Modified by 134c704f-9b21-4f2e-91b3-4a467353bcc0
Mar. 26, 2025
Action Type Old Value New Value Added CWE CWE-287 -
New CVE Received by [email protected]
Mar. 26, 2025
Action Type Old Value New Value Added Description CrushFTP versions 10.0.0 through 10.8.3 and 11.0.0 through 11.3.0 are affected by a vulnerability that may result in unauthenticated access. Remote and unauthenticated HTTP requests to CrushFTP may allow attackers to gain unauthorized access. Added CVSS V3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Added Reference https://www.crushftp.com/crush11wiki/Wiki.jsp?page=Update Added Reference https://www.rapid7.com/blog/post/2025/03/25/etr-notable-vulnerabilities-in-next-js-cve-2025-29927/ Added Reference https://www.runzero.com/blog/crushftp/
CWE - Common Weakness Enumeration
While CVE identifies
specific instances of vulnerabilities, CWE categorizes the common flaws or
weaknesses that can lead to vulnerabilities. CVE-2025-2825 is
associated with the following CWEs:
Common Attack Pattern Enumeration and Classification (CAPEC)
Common Attack Pattern Enumeration and Classification
(CAPEC)
stores attack patterns, which are descriptions of the common attributes and
approaches employed by adversaries to exploit the CVE-2025-2825
weaknesses.