Ongoing exploitation of a critical vulnerability in CrushFTP file transfer software continues to raise concerns, as a disclosure dispute unfolds. The vulnerability, identified as CVE-2025-31161, involves an authentication bypass flaw and was added to the Cybersecurity and Infrastructure Security Agency's (CISA) Known Exploited Vulnerabilities catalog on April 7. Although its use in ransomware attacks remains uncertain, the vulnerability has been actively exploited in the wild.

Vulnerability Discovery and Exploitation

Security vendor Huntress reported on April 4 that it detected exploitation activity for CVE-2025-31161 as early as March 30. The activity initially appeared to be testing access to vulnerable instances. Huntress emphasized the importance of prompt patching, noting that file transfer products are frequently targeted due to their external-facing nature and the sensitive data they manage.

Initial Disclosure and Dispute

The CrushFTP vulnerability was first disclosed to customers on March 21, with a security advisory urging updates to version 11.3.1. However, a dispute arose over CVE assignments. Initially, CVE-2025-2825 was assigned by VulnCheck, but Outpost24, the original discoverer, had already reported the flaw to CrushFTP and Mitre. This led to a conflict over the proper CVE assignment.

  • VulnCheck's Actions: Assigned CVE-2025-2825 without coordinating with CrushFTP or Outpost24.
  • Mitre's Decision: Sided with CrushFTP and Outpost24, rejecting CVE-2025-2825 and confirming CVE-2025-31161 as the official record.

Community Reactions and Implications

VulnCheck defended its actions, arguing that it followed best practices by assigning a CVE to a publicly disclosed vulnerability. However, Mitre emphasized the importance of coordinated disclosure and rejected VulnCheck's CVE. This decision sparked debate within the cybersecurity community about the timing and coordination of vulnerability disclosures.

Ongoing Exploitation and Recommendations

Despite the resolution of the CVE dispute, attacks on CrushFTP instances persist. Huntress reported continued exploitation, with threat actors using the vulnerability to install malicious software. Organizations are urged to update CrushFTP to versions 11.3.1+ and 10.8.4+, or implement recommended workarounds if updates are not feasible.

  • Update Software: Ensure CrushFTP is updated to the latest secure versions.
  • Implement Workarounds: Enable the DMZ perimeter network option as a temporary measure.
The link has been copied!