Skip to the content.

DIVD-2025-00007 - Authentication bypass in CrushFTP service

Our reference DIVD-2025-00007
Case lead Alwin Warringa
Researcher(s)
CVE(s)
Products
  • CrushFTP
Versions
  • 10.0.0 through 10.8.3
  • 11.0.0 through 11.3.0
Recommendation Update CrushFTP as soon as possible to version 10.8.4+ or v11.3.1+
Patch status Fully patched
Workaround If you are unable to update, then enable the DMZ (demilitarized zone) perimeter network option to protect the CrushFTP instance until security updates can be deployed.
Status Open
Last modified 01 Apr 2025 08:39 CEST

Summary

CrushFTP is a file transfer server used for file sharing, workflow automation, and user management. It supports multiple protocols like FTP, SFTP, HTTP/S, WebDAV. CVE-2025-2825 has been identified in CrushFTP versions 10.0.0 through 10.8.3 and 11.0.0 through 11.3.0. This vulnerability has a high impact on all three aspects of the CIA triad (confidentiality, integrity, and availability). Exploiting CVE-2025-2825 can allow threat actors without any authentication to access the application remotely.

Recommendations

To remediate CVE-2024-53704, please upgrade CrushFTP to the version 10.8.3 or 11.3.0 or later. If you are unable to update, then enable the DMZ (demilitarized zone) perimeter network option to protect the CrushFTP instance until security updates can be deployed.

What we are doing

DIVD is currently working to identify parties that are running a vulnerable version of CrushFTP service and to notify these parties.

Timeline

Date Description
29 Mar 2025 DIVD starts researching the vulnerability.
29 Mar 2025 DIVD finds fingerprint, preparing to scan.
29 Mar 2025 Case opened and starting first scan.
01 Apr 2025 DIVD starts notifying network owners with a vulnerable devices in their network.
gantt title DIVD-2025-00007 - Authentication bypass in CrushFTP service dateFormat YYYY-MM-DD axisFormat %e %b %Y section Case DIVD-2025-00007 - Authentication bypass in CrushFTP service (still open) :2025-03-29, 2025-04-09 section Events DIVD starts researching the vulnerability. : milestone, 2025-03-29, 0d DIVD finds fingerprint, preparing to scan. : milestone, 2025-03-29, 0d Case opened and starting first scan. : milestone, 2025-03-29, 0d DIVD starts notifying network owners with a vulnerable devices in their network. : milestone, 2025-04-01, 0d

More information