Description

CrushFTP contains an authentication bypass vulnerability that allows unauthenticated remote attackers to access administrative interfaces and sensitive functionality, potentially leading to complete server compromise.

Remediation

Upgrade to the latest version of CrushFTP

References

Rapid7 Vulnerability Blog

NVD - CVE-2025-2825

Related Vulnerabilities

Moodle Permissions, Privileges, and Access Controls Vulnerability (CVE-2012-5471)

Plone CMS Other Vulnerability (CVE-2006-4247)

Jetty Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2021-34429)

Moodle Credentials Management Errors Vulnerability (CVE-2014-0008)

PHP-Fusion Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2020-17449)

Severity

Critical

Classification

CVE-2025-2825 CWE-287 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L

Tags

Authentication Bypass Known Vulnerabilities