Initiatives for
As the national authority for Cybersecurity the CCB has developed several initiatives for specific publics which are presented here.
Warning: Critical improper authentication vulnerability in CrushFTP, Patch Immediately!
Image
Published : 27/03/2025
Last update: 27/03/2025
Affected software:
- CrushFTP versions 10.0.0 - 10.8.3 and 11.0.0 - 11.3.0
Type:
- Improper Authentication (CWE-287)
CVE/CVSS:
- CVE-2025-2825: CVSS 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Source
CrushFTP - https://www.crushftp.com/crush11wiki/Wiki.jsp?page=Update
Risk
CrushFTP is a file transfer server used for file sharing, workflow automation, and user management. It supports multiple protocols like FTP, SFTP, HTTP/S, WebDAV. CVE-2025-2825 has been identified in CrushFTP versions 10.0.0 through 10.8.3 and 11.0.0 through 11.3.0
This vulnerability has a high impact on all three aspects of the CIA triad (confidentiality, integrity, and availability).
Exploiting CVE-2025-2825 can allow threat actors without any authentication to access the application remotely.
In April 2024, another vulnerability (CVE-2024-4040) affecting CrushFTP was disclosed. Unauthenticated remote attackers who exploited it, managed to execute code remotely and read sensitive files as they bypassed the virtual file system (VFS) sandbox and accessed files outside their designated limits.
Ransomware gangs tend to exploit similar vulnerabilies in systems like CrushFTP to steal sensitive data.
As of the time of the publication of this advisory, there is no evidence of a proof of concept or exploitation.
Description
A remote, unauthenticated attacker without privileges can exploit this improper authentication vulnerability to gain full system access to unpatched servers over HTTP(S). The attacker can then read files from the host’s file system by executing administrative functions within CrushFTP.
There is a danger of confidential information breach, as the threat actor can gain access, modify, or delete data without authorization. Finally, the attacker could potentially move laterally within the network and cause disruption to critical file transfer services which could ultimately lead to complete system compromise.
Recommended Actions
Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority after thorough testing. Please upgrade CrushFTP to the version 10.8.3 or 11.3.0 or later. If you are unable to update, then enable the DMZ (demilitarized zone) perimeter network option to protect the CrushFTP instance until security updates can be deployed.
Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity and ensure a swift response in case of an intrusion.
In case of an intrusion, you can report an incident via https://ccb.belgium.be/en/cert/report-incident.
While patching appliances or software to the newest version may protect against future exploitation, it does not remediate historic compromise.
References
NVD - https://nvd.nist.gov/vuln/detail/CVE-2025-2825
Bleeping Computer - https://www.bleepingcomputer.com/news/security/crushftp-warns-users-to-patch-unauthenticated-access-flaw-immediately/