DIVD-2025-00007 - Authentication bypass in CrushFTP service
| Our reference | DIVD-2025-00007 |
| Case lead | Alwin Warringa |
| Researcher(s) | |
| CVE(s) | |
| Products |
|
| Versions |
|
| Recommendation | Update CrushFTP as soon as possible to version 10.8.4+ or v11.3.1+ |
| Patch status | Fully patched |
| Workaround | If you are unable to update, then enable the DMZ (demilitarized zone) perimeter network option to protect the CrushFTP instance until security updates can be deployed. |
| Status | Open |
| Last modified | 01 Apr 2025 08:39 CEST |
Summary
CrushFTP is a file transfer server used for file sharing, workflow automation, and user management. It supports multiple protocols like FTP, SFTP, HTTP/S, WebDAV. CVE-2025-2825 has been identified in CrushFTP versions 10.0.0 through 10.8.3 and 11.0.0 through 11.3.0. This vulnerability has a high impact on all three aspects of the CIA triad (confidentiality, integrity, and availability). Exploiting CVE-2025-2825 can allow threat actors without any authentication to access the application remotely.
Recommendations
To remediate CVE-2024-53704, please upgrade CrushFTP to the version 10.8.3 or 11.3.0 or later. If you are unable to update, then enable the DMZ (demilitarized zone) perimeter network option to protect the CrushFTP instance until security updates can be deployed.
What we are doing
DIVD is currently working to identify parties that are running a vulnerable version of CrushFTP service and to notify these parties.
Timeline
| Date | Description |
|---|---|
| 29 Mar 2025 | DIVD starts researching the vulnerability. |
| 29 Mar 2025 | DIVD finds fingerprint, preparing to scan. |
| 29 Mar 2025 | Case opened and starting first scan. |
| 01 Apr 2025 | DIVD starts notifying network owners with a vulnerable devices in their network. |