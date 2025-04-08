The US top cybersecurity agency has confirmed that the critical vulnerability in file transfer solution provider CrushFTP’s product is being exploited in the wild.

The authentication bypass vulnerability, CVE-2025-31161, was added to the Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities (KEV) catalog on April 7.

“These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise,” said the security advisory.

CISA strongly urged all federal departments and other organizations to prioritize remediating the vulnerability as part of their vulnerability management practice.

Vulnerability Disclosure Mix-Up

The vulnerability is a critical authentication bypass (CVSS base score of 9.8) that could allow an unauthenticated actor to take over devices running unpatched versions of CrushFTP v10 or v11.

It was identified by Outpost24 and disclosed by CrushFTP on March 21 and has been fixed in versions 10.8.4 and 11.3.1.

However, the vulnerability experienced a disclosure mix-up with two separate vulnerability identifiers published by two CVE Numbering Authorities (CNAs) relating to the same issue.

Outpost24 worked with MITRE, a CNA, to secure CVE identifier CVE-2025-31161.

Outpost24 and MITRE then coordinated with CrushFTP to agree on a 90-day non-disclosure period to ensure users had sufficient time to patch before details became public.

Meanwhile, another CNA, VulnCheck, published a separate identifier, CVE-2025-2825, on March 26, allegedly without consulting Outpost24 or CrushFTP.

Two days later, the Shadowserver Foundation said on X that it was observing exploitation attempts of CVE-2025-2825 based on a publicly available proof-of-concept (PoC) exploit code. The non-profit also identified at least 1512 unpatched instances vulnerable to CVE-2025-2825.