Description

CrushFTP contains an authentication bypass vulnerability that allows unauthenticated remote attackers to access administrative interfaces and sensitive functionality, potentially leading to complete server compromise.

Remediation

Upgrade to the latest version of CrushFTP

References

Rapid7 Vulnerability Blog

NVD - CVE-2025-2825

Related Vulnerabilities

IBM WebSEAL CVE-2018-1722 Vulnerability (CVE-2018-1722)

MySQL CVE-2021-35638 Vulnerability (CVE-2021-35638)

WordPress Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2016-5833)

MySQL Other Vulnerability (CVE-2000-0045)

Piwigo Cross-Site Request Forgery (CSRF) Vulnerability (CVE-2014-4614)

Severity

Critical

Classification

CVE-2025-2825 CWE-287 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L

Tags

Authentication Bypass Known Vulnerabilities