Description

CrushFTP contains an authentication bypass vulnerability that allows unauthenticated remote attackers to access administrative interfaces and sensitive functionality, potentially leading to complete server compromise.

Remediation

Upgrade to the latest version of CrushFTP

References

Rapid7 Vulnerability Blog

NVD - CVE-2025-2825

Related Vulnerabilities

Moodle Incorrect Calculation Vulnerability (CVE-2022-30600)

Joomla URL Redirection to Untrusted Site ('Open Redirect') Vulnerability (CVE-2020-24598)

Piwigo Cross-Site Request Forgery (CSRF) Vulnerability (CVE-2017-17827)

Jetty Allocation of Resources Without Limits or Throttling Vulnerability (CVE-2024-22201)

WordPress Plugin Live Product Editor for WooCommerce Security Bypass (4.6.2)

Severity

Critical

Classification

CVE-2025-2825 CWE-287 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L

Tags

Authentication Bypass Known Vulnerabilities