CrushFTP vulnerability exploited in the wild, added to CISA KEV database

News
By published

A new patch for a CrushFTP was released, so update now

A computer being guarded by cybersecurity.
(Image credit: iStock)
  • A critical flaw was discovered in file transfer tool CrushFTP
  • Experts claim the issue was being abused in the wild
  • CISA added the flaw to its KEV catalog

A critical-severity vulnerability plaguing file transfer software CrushFTP was found being actively exploited in the wild.

Earlier this month, it was reported that the software, commonly used by organizations to handle large-scale file transfers, contained an authentication bypass vulnerability which allowed unauthenticated attackers to gain administrative access.

By specifically targeting the crushadmin account, threat actors could abuse the flaw to compromise the target system entirely.

Monitor your credit score with TransUnion starting at $29.95/month

Monitor your credit score with TransUnion starting at $29.95/month

TransUnion is a credit monitoring service that helps you stay on top of your financial health. With real-time alerts, credit score tracking, and identity theft protection, it ensures you never miss important changes. You'll benefit from a customizable online interface with clear insights into your credit profile. Businesses also benefit from TransUnion’s advanced risk assessment tools.

Preferred partner (What does this mean?)

View Deal

CISA adds it to KEV

The flaw is now tracked as CVE-2025-31161, and was given a severity score of 9.8/10 (critical)

It affects CrushFTP versions 10 before 10.8.4 and 11 before 11.3.1. Users are strongly advised to update to these versions immediately, and if they can’t, enabling the DMZ proxy instance can serve as a temporary workaround.

Security researchers have warned that the bugs were used in the wild to install remote management tools like AnyDesk and MeshAgent, The Hacker News reported.

CISA has also picked up on the news, adding the bug to its Known Exploited Vulnerabilities Catalog (KEV). This means that Federal Civilian Executive Branch (FCEB) agencies have a three-week deadline (until April 28) to apply the patch, or stop using CrushFTP entirely.

Cybercriminals often target managed file transfer software vulnerabilities, since they could allow access to sensitive corporate files and databases. In fact, one of the most devastating cyberattacks in recent history happened in 2023, when ransomware operator Cl0p abused a previously unknown SQL injection vulnerability in MOVEit managed file transfer software to breach hundreds of corporations around the world.

A year before that, GoAnywhere MFT was breached and used to steal sensitive data from almost 130 organizations, and in January 2024, the same software was found to be vulnerable to a critical path traversal weakness flaw.

You might also like

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.