CrushFTP Data Transfer Software Exposes Security Vulnerability

A significant security vulnerability has been identified in CrushFTP, a widely used data transfer software, which could allow unauthorized access to attackers over the internet.

This vulnerability affects versions 10.0.0 through 10.8.3 and 11.0.0 through 11.3.0, as noted in the CVE entry for the security flaw. The issue enables potential attackers to send unauthenticated HTTP requests to CrushFTP, granting them unauthorized access (CVE-2025-2825, CVSS score of 9.8, categorized as critical).

While the manufacturer has provided limited details about the vulnerability, it has been reported under a 'Responsible Disclosure' process. Currently, there are no confirmed exploits in the wild. However, users utilizing the DMZ feature in CrushFTP can be assured that their software remains secure against this flaw.

The company urges administrators to promptly update to versions 10.8.4 or 11.3.1, or any later releases. For those using previous versions, an automatic update option is available in the settings, requiring a manual entry in the prefs.XML file, specifically 'daily_check_and_auto_update_on_idle', starting from version 11.2.3_19. However, a bug may affect this feature in Windows systems. IT administrators can also find the updated software packages on the official CrushFTP download page, which is considered the most reliable method for applying the updates.

Cybercriminals often target data transfer software as it can serve as a gateway to sensitive information, enabling them to extort companies for ransom. Notably, the cyber gang Cl0p previously exploited a similar software, MOVEit Transfer, to exfiltrate data from numerous high-profile companies and demanded ransom payments.

CrushFTP has been flagged as a potential target for malicious actors looking to exploit its vulnerabilities. In late April, cybersecurity researchers observed attacks targeting a flaw within the software, with hundreds of instances accessible from the internet in Germany alone.