9.8
CRITICAL
CVE-2025-2825
CrushFTP Unauthenticated Remote Access Vulnerability
Description

CrushFTP versions 10.0.0 through 10.8.3 and 11.0.0 through 11.3.0 are affected by a vulnerability that may result in unauthenticated access. Remote and unauthenticated HTTP requests to CrushFTP may allow attackers to gain unauthorized access.

INFO

Published Date :

March 26, 2025, 4:15 p.m.

Last Modified :

March 28, 2025, 5:15 p.m.

Remotely Exploitable :

Yes !

Impact Score :

5.9

Exploitability Score :

3.9
Affected Products

The following products are affected by CVE-2025-2825 vulnerability. Even if cvefeed.io is aware of the exact versions of the products that are affected, the information is not represented in the table below.

ID Vendor Product Action
1 Crushftp crushftp
References to Advisories, Solutions, and Tools

We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).

Results are limited to the first 15 repositories due to potential performance issues.

The following list is the news that have been mention CVE-2025-2825 vulnerability anywhere in the article.

  • BleepingComputer
Critical auth bypass bug in CrushFTP now exploited in attacks

Attackers are now targeting a critical authentication bypass vulnerability in the CrushFTP file transfer software using exploits based on publicly available proof-of-concept code. The security vulnera ... Read more

Published Date: Apr 01, 2025 (6 hours, 39 minutes ago)
  • Cyber Security News
CrushFTP Vulnerability Exploited in Attacks Following PoC Release

Security researchers have confirmed active exploitation attempts targeting the critical authentication bypass vulnerability in CrushFTP (CVE-2025-2825) following the public release of proof-of-concept ... Read more

Published Date: Apr 01, 2025 (11 hours, 39 minutes ago)
  • Cyber Security News
CrushFTP Vulnerability Exploited to Gain Full Server Access

A critical vulnerability (CVE-2025-2825) in CrushFTP, a widely used enterprise file transfer solution, allows attackers to bypass authentication and gain unauthorized server access. The vulnerability, ... Read more

Published Date: Mar 31, 2025 (1 day, 4 hours ago)
  • The Hacker News
⚡ Weekly Recap: Chrome 0-Day, IngressNightmare, Solar Bugs, DNS Tactics, and More

Threat Intelligence / Cybersecurity Every week, someone somewhere slips up—and threat actors slip in. A misconfigured setting, an overlooked vulnerability, or a too-convenient cloud tool becomes the p ... Read more

Published Date: Mar 31, 2025 (1 day, 8 hours ago)
  • Daily CyberSecurity
CrushFTP Hacked: Exploit CVE-2025-2825 with PoC and Nuclei Template

ProjectDiscovery has published a technical breakdown of CVE-2025-2825, a critical authentication bypass flaw in CrushFTP—a widely used enterprise-grade file transfer server. The vulnerability, affecti ... Read more

Published Date: Mar 31, 2025 (1 day, 18 hours ago)
  • Daily CyberSecurity
CVE-2025-22398: Dell Unity Hit by 9.8 CVSS Root-Level Command Injection Flaw

Dell has released a security update for Unity OS version 5.4 and earlier, addressing a set of critical vulnerabilities that expose the popular enterprise storage systems—Unity, UnityVSA, and Unity XT— ... Read more

Published Date: Mar 31, 2025 (1 day, 18 hours ago)
  • Help Net Security
Week in review: Chrome sandbox escape 0-day fixed, Microsoft adds new AI agents to Security Copilot

Here’s an overview of some of last week’s most interesting news, articles, interviews and videos: Microsoft’s new AI agents take on phishing, patching, alert fatigue Microsoft is rolling out a new gen ... Read more

Published Date: Mar 30, 2025 (2 days, 11 hours ago)
  • The Register
CrushFTP CEO's feisty response to VulnCheck's CVE for critical make-me-admin bug

CrushFTP's CEO is not happy with VulnCheck after the CVE numbering authority (CNA) released an unofficial ID for the critical vulnerability in its file transfer tech disclosed almost a week ago. Accor ... Read more

Published Date: Mar 27, 2025 (5 days, 6 hours ago)
  • Help Net Security
CrushFTP: Patch critical vulnerability ASAP! (CVE-2025-2825)

CrushFTP has fixed a critical vulnerability (CVE-2025-2825) in its enterprise file transfer solution that could be exploited by remote, unauthenticated attackers to access vulnerable internet-facing s ... Read more

Published Date: Mar 27, 2025 (5 days, 8 hours ago)
  • Cybersecurity News
Millions at Risk: PoC Exploit Releases for Vite Arbitrary File Read Flaw (CVE-2025-30208)

Vite, the blazing-fast frontend build tool that powers millions of modern web applications, has been found vulnerable to a file access control bypass flaw that could expose arbitrary file contents to ... Read more

Published Date: Mar 27, 2025 (5 days, 16 hours ago)
  • Cybersecurity News
CVE-2025-2825: Critical Vulnerability in CrushFTP Exposes Servers to Unauthenticated Access Risk

Admins urged to patch immediately as CrushFTP discloses high-severity flaw impacting versions 10 and 11.A new high-severity vulnerability has been disclosed in CrushFTP, a widely used secure file tran ... Read more

Published Date: Mar 27, 2025 (5 days, 16 hours ago)

The following table lists the changes that have been made to the CVE-2025-2825 vulnerability over time.

Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.

  • CVE Modified by af854a3a-2127-422b-91ae-364da2661108

    Mar. 28, 2025

    Action Type Old Value New Value
    Added Reference https://projectdiscovery.io/blog/crushftp-authentication-bypass
  • CVE Modified by 134c704f-9b21-4f2e-91b3-4a467353bcc0

    Mar. 26, 2025

    Action Type Old Value New Value
    Added CWE CWE-287
  • New CVE Received by [email protected]

    Mar. 26, 2025

    Action Type Old Value New Value
    Added Description CrushFTP versions 10.0.0 through 10.8.3 and 11.0.0 through 11.3.0 are affected by a vulnerability that may result in unauthenticated access. Remote and unauthenticated HTTP requests to CrushFTP may allow attackers to gain unauthorized access.
    Added CVSS V3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    Added Reference https://www.crushftp.com/crush11wiki/Wiki.jsp?page=Update
    Added Reference https://www.rapid7.com/blog/post/2025/03/25/etr-notable-vulnerabilities-in-next-js-cve-2025-29927/
    Added Reference https://www.runzero.com/blog/crushftp/
EPSS is a daily estimate of the probability of exploitation activity being observed over the next 30 days. Following chart shows the EPSS score history of the vulnerability.
CWE - Common Weakness Enumeration

While CVE identifies specific instances of vulnerabilities, CWE categorizes the common flaws or weaknesses that can lead to vulnerabilities. CVE-2025-2825 is associated with the following CWEs:

CVSS31 - Vulnerability Scoring System
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability