Critical auth bypass bug in CrushFTP now exploited in attacks

Attackers are now targeting a critical authentication bypass vulnerability in the CrushFTP file transfer software using exploits based on publicly available proof-of-concept code. The security vulnerability (CVE-2025-2825) was reported by Outpost24, and it allows remote attackers to gain unauthenticated access to devices running unpatched CrushFTP v10 or v11 software. "Please take immediate action to patch ASAP. The bottom line of this vulnerability is that an exposed HTTP(S) port could lead to unauthenticated access," CrushFTP warned in an email sent to customers on Friday, March 21, when it released patches to address the security flaw. As a workaround, admins who can't immediately update CrushFTP 10.8.4 and later or 11.3.1 and later can enable the DMZ (demilitarized zone) perimeter network option to protect their CrushFTP servers until they can patch. A week later, security threat monitoring platform Shadowserver warned that its honeypots detected dozens of exploitation attempts ... Read full article.