CVE-2025-2825: Critical Vulnerability in CrushFTP Exposes Servers to Unauthenticated Access Risk
do son 
Admins urged to patch immediately as CrushFTP discloses high-severity flaw impacting versions 10 and 11.
A new high-severity vulnerability has been disclosed in CrushFTP, a widely used secure file transfer platform favored by enterprises, hosting providers, and government agencies. Tracked as CVE-2025-2825, the flaw carries a CVSS score of 9.8 and may allow unauthenticated attackers to gain remote access via specially crafted HTTP requests.
The issue affects all CrushFTP versions between 10.0.0–10.8.3 and 11.0.0–11.3.0. While there are currently no signs of active exploitation, CrushFTP developers have urged immediate patching, stating:
“Update to version 10.8.4+ or 11.3.1+ immediately.”
CVE-2025-2825 permits unauthorized access through unauthenticated HTTP requests, potentially granting attackers access to sensitive data or administrative capabilities. The flaw, however, is mitigated if the DMZ function is enabled, which isolates the public-facing services from backend infrastructure.
No further technical details have been made public at this time, following responsible disclosure procedures to reduce the risk of weaponization before patches are fully deployed.
It is important to note that in April 2024, CrushFTP also released security updates to patch an actively exploited zero-day vulnerability (CVE-2024-4040) that allowed unauthenticated attackers to escape the user’s virtual file system (VFS) and download system files. CISA added CVE-2024-4040 to its Known Exploited Vulnerabilities catalog, ordering U.S. federal agencies to secure vulnerable servers on their networks within a week.
Secure file transfer systems like CrushFTP have become high-value targets for ransomware operations, especially groups like Clop, which notoriously leveraged zero-day flaws in MOVEit Transfer, GoAnywhere MFT, Accellion FTA, and Cleo software to launch widespread data theft campaigns.
The CVE-2025-2825 vulnerability poses a significant risk to CrushFTP users, potentially leading to unauthorized access to sensitive data. Given the history of attacks on file transfer products and the severity of this flaw, it is critical that organizations take immediate action to update their CrushFTP installations to the latest secure versions.
