More details have emerged on the story of the CVE controversy around a CrushFTP vulnerability that threat actors started exploiting just days after its existence came to light.
On March 21, the developers of the CrushFTP enterprise file transfer solution informed customers that versions 10 and 11 are affected by a critical vulnerability that exposes systems to remote hacking. An attacker can leverage the flaw to bypass authentication and gain admin access to impacted CrushFTP instances.
Patches were included in versions 11.3.1 and 10.8.4 and workarounds were also made available, but since no CVE was announced for the vulnerability five days after its existence was disclosed, vulnerability intelligence firm VulnCheck decided to assign it a CVE, specifically CVE-2025-2825.
VulnCheck has been a CVE Numbering Authority (CNA) since April 2023 and it is allowed to assign CVE identifiers to vulnerabilities found in software that is not specifically covered by other CNAs.
However, CrushFTP was not happy with the decision, arguing that the “real CVE” had been pending. Indeed, roughly 10 days after disclosure, CrushFTP told SecurityWeek that the CVE for this vulnerability is CVE-2025-31161, which was assigned by Outpost24, the security firm credited for responsibly disclosing the flaw to the vendor.
In a blog post published on Wednesday, Outpost24 clarified that it reached out to MITRE for a CVE on March 13 and the plan was to keep details of the vulnerability under wraps for 90 days to avoid malicious exploitation.
It took MITRE until March 27 to assign CVE-2025-31161, according to Outpost24. By the time CVE-2025-31161 was announced — the first public mention of this CVE appears to be in SecurityWeek’s April 2 article — much of the security industry had already started using CVE-2025-2825 (assigned by VulnCheck) to track the vulnerability.
“[VulnCheck] had not contacted CrushFTP or Outpost24 beforehand to see if a responsible disclosure process was already underway. Nor did they credit Outpost24 for discovery,” Outpost24 said.
Outpost24 is now waiting for a response from MITRE regarding the CVE conflict. At the time of writing, CVE-2025-2825 is listed in the National Vulnerability Database (NVD), but CVE-2025-31161 is not.
The story of the vulnerability started attracting more attention after VulnChech assigned a CVE and several security firms started analyzing it, releasing technical details and PoC exploit code.
Soon after, the non-profit cybersecurity organization The Shadowserver Foundation started seeing exploitation attempts. Data from Shadowserver shows that the attacks are ongoing, although the number of IPs launching attacks started to drop on April 2.
Initially there were roughly 1,800 vulnerable internet-exposed CrushFTP instances. The number of vulnerable instances has steadily dropped, according to data from Shadowserver. However, as of April 2 there are still hundreds of vulnerable instances worldwide, including over 500 in the US.
CrushFTP told SecurityWeek on Tuesday that it had been pushing customers to patch their installations, and the company blamed security firms — which it described as “bad actors” — for the vulnerability being exploited so quickly in the wild.
It’s still unclear what attackers have been doing after exploiting the vulnerability. The flaw could allow threat actors to gain access to sensitive data or conduct further attacks against the targeted organization.
Related: NIST Still Struggling to Clear Vulnerability Submissions Backlog in NVD
Related: CVE and NVD – A Weak and Fractured Source of Vulnerability Truth
Related: Google Cloud to Assign CVEs to Critical Vulnerabilities
Related: CVE Turns 25
