CVE-2025-2825 affecting CrushFTP

This section contains time sensitive announcements about specific cyber threats, vulnerabilities and scams. Each alert has information you need to be aware of, and what actions to take to mitigate any risk to you or your organisation.

Subscribe to our updates to be notified as soon as we publish an alert.

11:20am, 3 April 2025

TLP Rating: Clear

CVE-2025-2825 affecting CrushFTP

CVE-2025-2825 is an authentication bypass vulnerability affecting CrushFTP that could allow a remote attacker to gain unauthorised access. The NCSC is aware of a proof of concept (PoC) that a threat actor could use to exploit this vulnerability. CrushFTP has made patches available.

What's happening

Systems affected

The vulnerability affects the following versions of CrushFTP:

CrushFTP versions 10.0.0 through 10.8.
CrushFTP versions 11.0.0 through 11.3.0

What this means

Organisations using affected CrushFTP versions could be vulnerable to the CVE.

What to do

Prevention

Update to one of the vendor advised CrushFTP versions.

More information

Vendor Advisory

Crush11wiki: Update External Link

CVE

CVE-2025-2825 External Link

If you require more information or further support, submit a report on our website or contact us on 0800 114 115.

Report an incident

For media enquiries, email our media desk at media@ncsc.govt.nz.

CVE-2025-2825 affecting CrushFTP

What's happening

Systems affected

What this means

What to do

Prevention

More information

How helpful was this page?