- Posted April 02, 2025
- Cyber Security Alerts
The NCSC would like to draw your attention to a critical vulnerability affecting file transfer solution CrushFTP.
CVE-2025-2825(external link) is an authentication bypass vulnerability affecting CrushFTP that could allow a remote attacker to gain unauthorised access. The NCSC is aware of a proof of concept (PoC) that a threat actor could use to exploit this vulnerability.
The vulnerability affects the following versions of CrushFTP:
- CrushFTP versions 10.0.0 through 10.8.3
- CrushFTP versions 11.0.0 through 11.3.0
The NCSC encourages organisations in New Zealand that use the affected product to review the vendor advisory(external link) and apply the remediation as soon as possible.
Received an alert or advisory from both CERT NZ and NCSC? At present, we use both brands and a range of distribution mechanisms to ensure everyone continues to receive the information they need. Behind the scenes, our teams continue to work together to share insights and align our guidance.
For more NCSC NZ updates, follow us on LinkedIn(external link).