Critical Security Flaw Discovered
CrushFTP has issued an urgent security warning to its users, advising them to patch their servers immediately due to a newly discovered vulnerability that allows unauthenticated access to servers exposed on the internet via HTTP(S). The company disclosed the issue in an email to customers on March 21, 2025, stressing the importance of immediate action. According to the company, all versions of CrushFTP v11 are affected by this security flaw, though earlier versions remain unaffected. A CVE identifier for the vulnerability is expected to be assigned soon.
The vulnerability presents a significant risk, as attackers could exploit exposed HTTP(S) ports to gain unauthorized access. However, servers with the DMZ (demilitarized zone) feature enabled are not affected. While CrushFTP initially stated that only v11 was impacted, a security advisory released on the same day suggests that both versions 10 and 11 are at risk, a finding corroborated by cybersecurity firm Rapid7.
Mitigation Measures and Previous Vulnerabilities
To mitigate the risk, CrushFTP has released an updated version, v11.3.1+, which addresses the flaw. For users unable to update immediately, enabling the DMZ perimeter network option is recommended as a temporary safeguard. Shodan data indicates that more than 3,400 CrushFTP instances have their web interface exposed to the internet, though it remains unclear how many have been patched since the announcement.
This is not the first time CrushFTP has faced security issues. In April 2024, the company patched an actively exploited zero-day vulnerability (CVE-2024-4040), which allowed attackers to escape the virtual file system (VFS) and access system files without authentication. Intelligence reports linked that attack to politically motivated espionage, with U.S. organizations being among the primary targets. Following the discovery, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the vulnerability to its Known Exploited Vulnerabilities catalog, instructing federal agencies to secure their systems within a week.
Growing Threat to File Transfer Platforms
The latest CrushFTP vulnerability adds to a growing trend of security threats targeting file transfer software. In November 2023, CrushFTP customers were also warned about a critical remote code execution vulnerability (CVE-2023-43177) discovered by Converge security researchers. A proof-of-concept exploit for that flaw was made public three months after the patch was released, increasing the risk of exploitation.
File transfer solutions remain attractive targets for cybercriminals, particularly ransomware groups. The Clop ransomware gang, for instance, has been linked to data theft attacks that exploited zero-day vulnerabilities in multiple file transfer platforms, including MOVEit Transfer, GoAnywhere MFT, Accellion FTA, and Cleo software. Given the rising frequency of such threats, CrushFTP users are strongly encouraged to implement the latest security updates to safeguard their systems from potential cyberattacks.
With the cybersecurity landscape evolving rapidly, organizations using CrushFTP and similar software must remain vigilant, ensuring their systems are consistently updated to mitigate risks from emerging threats.
