- Posted April 08, 2025
- Cyber Security Alerts
7/04/2025: Update to CVE affecting CrushFTP
The NCSC would like to re-draw your attention to a critical vulnerability affecting file transfer solution CrushFTP. The NCSC is now aware of reports of active exploitation of this vulnerability.
The NCSC would like to also note that the CVE-ID we identified in our alert on 01/04/2025 is now being tracked as CVE-2025-31161. CVE-2025-31161 (formerly CVE-2025-2825) is an authentication bypass vulnerability affecting CrushFTP that could allow a remote attacker to gain unauthorised access.
The vulnerability affects the following versions of CrushFTP:
CrushFTP versions 10.0.0 through 10.8.3
CrushFTP versions 11.0.0 through 11.3.0
The NCSC encourages organisations in New Zealand that use the affected product to review the vendor advisory(external link) and apply the remediation as soon as possible.
2/04/2025: CVE affecting CrushFTP
The NCSC would like to draw your attention to a critical vulnerability affecting file transfer solution CrushFTP.
CVE-2025-2825(external link) is an authentication bypass vulnerability affecting CrushFTP that could allow a remote attacker to gain unauthorised access. The NCSC is aware of a proof of concept (PoC) that a threat actor could use to exploit this vulnerability.
The vulnerability affects the following versions of CrushFTP:
- CrushFTP versions 10.0.0 through 10.8.3
- CrushFTP versions 11.0.0 through 11.3.0
The NCSC encourages organisations in New Zealand that use the affected product to review the vendor advisory(external link) and apply the remediation as soon as possible.
Received an alert or advisory from both CERT NZ and NCSC? At present, we use both brands and a range of distribution mechanisms to ensure everyone continues to receive the information they need. Behind the scenes, our teams continue to work together to share insights and align our guidance.
For more NCSC NZ updates, follow us on LinkedIn(external link).