CrushFTP warns users to patch unauthenticated access flaw immediately

CrushFTP warned customers of an unauthenticated HTTP(S) port access vulnerability and urged them to patch their servers immediately. As the company also explained in an email sent to customers on Friday (seen by BleepingComputer), the security flaw enables attackers to gain unauthenticated access to unpatched servers if they are exposed on the Internet over HTTP(S). "Please take immediate action to patch ASAP. A vulnerability has been addressed today (March 21st, 2025). All CrushFTP v11 versions were affected. (No earlier versions are affected.) A CVE will be generated soon," the company warned. "The bottom line of this vulnerability is that an exposed HTTP(S) port could lead to unauthenticated access. The vulnerability is mitigated If you have the DMZ feature of CrushFTP in place." While the email says this vulnerability only affects CrushFTP v11 versions, an advisory issued on the same day says that both CrushFTP v10 and v11 are impacted, as cybersecurity company Rapid7 first not ... Read full article.