CVE-2025-2825

Published Mar 26, 2025

Last updated 2 days ago

CVSS critical 9.8
CrushFTP

Overview

AI description

Generated using AI and has not been reviewed by Intruder. May contain errors.

CVE-2025-2825 affects CrushFTP versions 10.0.0 through 10.8.3 and 11.0.0 through 11.3.0. This vulnerability allows unauthenticated remote attackers to gain unauthorized access to the CrushFTP server. Specifically, unauthenticated HTTP requests can be made to the CrushFTP server, potentially leading to complete system compromise, unauthorized access to sensitive data, data theft or manipulation, and a breach of confidentiality, integrity, and availability.

Description
CrushFTP versions 10.0.0 through 10.8.3 and 11.0.0 through 11.3.0 are affected by a vulnerability that may result in unauthenticated access. Remote and unauthenticated HTTP requests to CrushFTP may allow attackers to gain unauthorized access.
Source
disclosure@vulncheck.com
NVD status
Awaiting Analysis

Risk scores

CVSS 3.1

Type
Secondary
Base score
9.8
Impact score
5.9
Exploitability score
3.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity
CRITICAL

Weaknesses

134c704f-9b21-4f2e-91b3-4a467353bcc0
CWE-287

Social media

Hype score is a measure of social media activity compared against trending CVEs from the past 12 months. Max score 100.

Hype score

1

  1. Modat Magnify Alert:  We’ve identified ~2,500 exposed CrushFTP instances worldwide.  According to @Shadowserver ~1,800 may be vulnerable to CVE-2025-2825 (CVSS 9.8) — an auth bypass via HTTP(S) that can be exploited. https://t.co/TYQQbwss1F  #ModatMagnify #crushftp #infosec #cve

    @modat_magnify

    28 Mar 2025

    57 Impressions

    0 Retweets

    2 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. 🚨 CVE-2025-2825: CrushFTP Authentication Bypass (CVSS 9.8) 🚨 A critical auth bypass in CrushFTP 10.0.0–10.8.3 and 11.0.0–11.3.0 allows remote attackers to gain full access using S3-style headers. The flaw stems from improper handling of authentication flags—letting attackers h

    @pdiscoveryio

    28 Mar 2025

    925 Impressions

    5 Retweets

    16 Likes

    2 Bookmarks

    0 Replies

    0 Quotes

  3. 🚨 Breaking: CrushFTP's latest feature? Unauthenticated Access! Just kidding – but CVE-2025-2825 sure makes it seem so. Check out the full exploit review before your server parties like it's 1999: https://t.co/Xwcjir2O0b #CyberSecurity #CVE2025_2825 😎 https://t.co/KpsBVIj5EQ

    @InezVlasblom

    27 Mar 2025

    62 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  4. Our Indicators of Compromise blog post for CVE-2025-2825, an authentication bypass affecting #CrushFTP. https://t.co/1F0WfFhwlA

    @Horizon3Attack

    27 Mar 2025

    6964 Impressions

    41 Retweets

    67 Likes

    35 Bookmarks

    1 Reply

    0 Quotes

  5. 🚨 CVE-2025-2825 ⚠️🔴 CRITICAL (9.8) 🏢 CrushFTP - CrushFTP 🏗️ 11.0.0 🔗 https://t.co/D5Ve1CpEyu 🔗 https://t.co/fw2zKcPM2x 🔗 https://t.co/piHgBpXSL8 #CyberCron #VulnAlert #InfoSec https://t.co/H2yqIqkVQb

    @cybercronai

    27 Mar 2025

    28 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  6. CVE-2025-2825: Critical flaw in CrushFTP allows unauthenticated remote access. Patch immediately—attackers can bypass authentication completely. Details: https://t.co/6fPA7nNVkF #CyberSecurity #PatchNow

    @adriananglin

    27 Mar 2025

    6 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  7. #CrushFTP: Patch critical #vulnerability ASAP! (#CVE-2025-2825) https://t.co/0auqLymTXk

    @ScyScan

    27 Mar 2025

    43 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  8. CrushFTP: Patch critical vulnerability ASAP! (CVE-2025-2825) https://t.co/H0Xzncn0xl #HelpNetSecurity #Cybersecurity https://t.co/D8WTiqMRuS

    @PoseidonTPA

    27 Mar 2025

    2 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  9. 🚨CVE-2025-2825: Unauthenticated HTTP(S) port access on CrushFTPv10/v11 CVSS: 9.8 https://t.co/nmQIp3mRu4

    @DarkWebInformer

    26 Mar 2025

    5905 Impressions

    19 Retweets

    47 Likes

    13 Bookmarks

    0 Replies

    1 Quote

  10. CVE-2025-2825 CrushFTP versions 10.0.0 through 10.8.3 and 11.0.0 through 11.3.0 are affected by a vulnerability that may result in unauthenticated access. Remote and unauthenticated … https://t.co/4uOX9h5biW

    @CVEnew

    26 Mar 2025

    259 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  11. It's been 5 days since CrushFTP publicly disclosed a new vulnerability. But no CVE assignment. It's within VulnCheck CNA scope to assign so we figured it would be helpful (see: CVE-2025-2825). Sent CrushFTP a courtesy email. 🤷‍♂️ https://t.co/ItNo2ea5f3

    @Junior_Baines

    26 Mar 2025

    10917 Impressions

    14 Retweets

    45 Likes

    11 Bookmarks

    2 Replies

    1 Quote

  12. New post from https://t.co/uXvPWJy6tj (CVE-2025-2825 | CrushFTP up to 10.8.3/11.3.0 HTTP Request improper authentication) has been published on https://t.co/5lDSTXCceS

    @WolfgangSesin

    26 Mar 2025

    31 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  13. [CVE-2025-2825: CRITICAL] Critical vulnerability in CrushFTP versions 10.0.0-10.8.3 & 11.0.0-11.3.0 allows unauthenticated access. Attackers can exploit this flaw remotely through HTTP requests.#cybersecurity,#vulnerability https://t.co/I9jAkmyBur https://t.co/p2amrFVxFe

    @CveFindCom

    26 Mar 2025

    25 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

References