CrushFTP data transfer software enables unauthorized access
There is a security gap in the CrushFTP data transfer software that gives attackers unauthorized access from the network.
(Image: Erstellt mit KI in Bing Creator von heise online / dmk)
A serious security vulnerability has been discovered in CrushFTP, a data transfer software. It allows attackers unauthorized access from the network. Updates to close the gap are available.
The CVE vulnerability entry for the CrushFTP vulnerability contains only a brief description: CrushFTP versions 10.0.0 to 10.8.3 and 11.0.0 to 11.3.0 are affected by a vulnerability that can lead to unauthenticated access. HTTP requests without authentication from the network to CrushFTP allow attackers to gain unauthorized access (CVE-2025-2825, CVSS 9.8, risk "critical").
No further details
However, the manufacturer does not provide more detailed information. There are also only brief additions on the CrushFTP update website. The vulnerability was reported as part of a "Responsible Disclosure". There are also no known attacks on it in the wild. However, if the DMZ function in CrushFTP is used, the software is not vulnerable.
Videos by heise
The company urges admins to update to versions 10.8.4 and 11.3.1 or newer immediately. For this purpose, there may be an option for automatic updates in the settings, which is available from CrushFTP 11.2.3_19 via a manually added entry in the prefs.XML file and is called "daily_check_and_auto_update_on_idle". Under Windows, however, there may be a bug. IT managers can also find the updated software packages on the CrushFTP download page – which seems to be the most reliable way to apply the update.
Cyber criminals are interested in data transfer software because they can often use it to obtain sensitive information that they can use to extort ransom money from attacked companies. The cyber gang Cl0p, for example, used such software (MOVEit Transfer) to extract data from hundreds of companies, some of them well-known, and tried to extort money from them.
CrushFTP is on the list of malicious actors trying to attack security vulnerabilities in it. At the end of last April, for example, IT security researchers observed attacks on a vulnerability in the data transfer software. In Germany, hundreds of instances of the software could be accessed from the internet.
(dmk)
