The Shadowserver Foundation on Monday said it started seeing exploitation attempts aimed at a recently patched CrushFTP vulnerability.
The developers of the CrushFTP enterprise file transfer solution informed customers on March 21 that versions 10 and 11 are affected by a vulnerability that can allow a remote, unauthenticated attacker to gain access to a system.
Patches are included in versions 11.3.1+ and 10.8.4+, and mitigations have also been made available.
Because the developers of CrushFTP had yet to announce a CVE identifier several days after disclosure, vulnerability intelligence firm VulnCheck took initiative and assigned it CVE-2025-2825, which CrushFTP did not appreciate, saying that the “real CVE is pending”.
On Tuesday morning, CrushFTP told SecurityWeek that the CVE for the vulnerability is actually CVE-2025-31161, which was assigned by Outpost24, the security firm whose researchers have been credited for responsibly disclosing the flaw.
However, the cybersecurity industry has started using CVE-2025-2825 to track the vulnerability, which it describes as a critical authentication bypass that can be exploited using specially crafted HTTP(S) requests.
Several security firms have analyzed the vulnerability and shared technical details and even proof-of-concept (PoC) exploit code.
On March 28, the non-profit cybersecurity organization Shadowserver reported seeing roughly 1,800 unpatched CrushFTP instances worldwide, including more than 900 in the United States.
By March 31, the number of vulnerable instances dropped by a few hundred, but Shadowserver’s honeypots started seeing dozens of exploitation attempts aimed at CVE-2025-2825. The attempts seen by the organization are leveraging the publicly available PoC exploit code.
CrushFTP told SecurityWeek that those who released technical details are to blame for the vulnerability being weaponized and for companies being targeted so soon after disclosure. The company seems very unhappy with the security firms that rushed to make details public and issue a CVE identifier, describing them as “bad actors”.
CrushFTP has been pushing users to patch and it plans on sending another email on Tuesday to encourage people to update.
This is not the first time a CrushFTP vulnerability has been targeted by threat actors. Exactly one year ago, CrushFTP customers were warned about a zero-day vulnerability that had been exploited in targeted attacks.
Related: Cleo File Transfer Tool Vulnerability Exploited in Wild Against Enterprises
Related: Firefox Affected by Flaw Similar to Chrome Zero-Day Exploited in Russia
Related: Critical Next.js Vulnerability in Hacker Crosshairs
