Description

CrushFTP contains an authentication bypass vulnerability that allows unauthenticated remote attackers to access administrative interfaces and sensitive functionality, potentially leading to complete server compromise.

Remediation

Upgrade to the latest version of CrushFTP

References

Rapid7 Vulnerability Blog

NVD - CVE-2025-2825

Related Vulnerabilities

Joomla Generation of Error Message Containing Sensitive Information Vulnerability (CVE-2022-23794)

Magento Unrestricted Upload of File with Dangerous Type Vulnerability (CVE-2020-24407)

WordPress Plugin WP SEO TDK Security Bypass (2.0.2)

Oracle JRE CVE-2012-3342 Vulnerability (CVE-2012-3342)

Oracle Database Server CVE-2013-1534 Vulnerability (CVE-2013-1534)

Severity

Critical

Classification

CVE-2025-2825 CWE-287 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L

Tags

Authentication Bypass Known Vulnerabilities