A critical vulnerability in CrushFTP’s file transfer server software is being actively exploited by threat actors. And the situation has become even more chaotic due to a heated dispute over its disclosure and CVE assignment. As of March 31, scans by the Shadowserver Foundation revealed over 1,500 vulnerable CrushFTP instances online. With attackers already using a proof-of-concept (PoC) exploit to target exposed systems.
The vulnerability, initially tracked as CVE-2025-2825, allows attackers to bypass authentication and access CrushFTP servers via exposed HTTP(S) ports. With a CVSS score of 9.8. The flaw is extremely easy to exploit and poses serious risk to enterprises relying on the popular file transfer tool.
However, the identity of the CVE and the responsible parties involved in disclosing the flaw have triggered a backlash within the cybersecurity community. Exposing the complexities of vulnerability disclosure and coordination among vendors, researchers, and CVE authorities.
The drama began on March 21, when CrushFTP privately notified its customers of a high-severity authentication bypass vulnerability affecting versions 10 and 11. A patch (v11.3.1) was released the same day. But the company did not assign a CVE, nor did it offer technical details. The advisory stated the issue was not known to be exploited at the time and recommended updates without providing a public disclosure timeline.
Just days later, threat intelligence firm VulnCheck, which is a CVE Numbering Authority (CNA), assigned CVE-2025-2825 to the bug. It gave the flaw a critical CVSS score and released limited details. Claiming the intent was to help the community take early action. However, CrushFTP CEO Ben Spink strongly objected, calling the CVE “fake” and accusing VulnCheck of hijacking the disclosure process. In an email exchange posted by VulnCheck’s CTO Jacob Baines on X, Spink warned that their actions would damage VulnCheck’s credibility and accelerate exploitation.
VulnCheck defended its decision, stating it followed CVE.org’s public procedures and never claimed to have discovered the vulnerability. Still, the damage was done.
By March 28, cybersecurity firm ProjectDiscovery had published a technical breakdown and PoC exploit for CVE-2025-2825—likely based on patch analysis—crediting Outpost24 with the original discovery. Soon after, Rapid7 followed with its own patch-diffing research and exploit code. These disclosures fueled exploitation attempts in the wild, with attackers weaponizing the flaw before many organizations had time to patch.
On March 31, CrushFTP confirmed that some customers had already been compromised. In an email to Dark Reading, Spink placed the blame squarely on premature disclosures and disputed CVE assignments.
Cybersecurity vendor Outpost24, which originally found the flaw, later clarified that the correct CVE is CVE-2025-31161. In a blog post titled “Disclosure mess leads to attacks,” researchers from the company explained that they followed a responsible disclosure path: they alerted CrushFTP in mid-March, coordinated patch efforts, and agreed to a cautious rollout to protect customers.
According to the timeline, Outpost24 had requested a CVE from Mitre on March 15, days before VulnCheck issued its identifier. They emphasized that neither VulnCheck nor the vendors who published PoCs reached out to verify whether disclosure coordination was in progress. Outpost24 leaders criticized the move as reckless and potentially damaging.
“Collaboration attempts with VulnCheck were unsuccessful,” said Alexander Mohlin, VP of OffSec at Outpost24. “We hope for more diligence from our peers going forward. In the meantime, the CrushFTP patch is live, and now is the time to update.”
The confusion over CVE identifiers has had very real consequences. According to Spink, attackers began leveraging the PoC just days after the technical details were published. He confirmed that active exploitation of CVE-2025-31161 is ongoing and that CrushFTP is working around the clock to assist affected customers.
Security experts note that fast-moving attacks like these are not uncommon. A Mandiant report from 2023 showed that the average time-to-exploit (TTE) for newly disclosed vulnerabilities is just five days—highlighting how rushed or conflicting disclosures can dramatically shrink the window organizations have to respond.
Spink said the early CVE publication by VulnCheck and subsequent public PoCs left customers with little time to apply patches before real-world attacks began. “Companies are being exploited and we’re overwhelmed trying to help,” he said.
He also criticized those who published detailed exploit information without first checking if a coordinated disclosure was underway.
Outpost24 and CrushFTP both recommend upgrading to CrushFTP v11.3.1 or later to protect against the authentication bypass vulnerability. For organizations unable to patch immediately, enabling DMZ mode—which isolates internal services from public-facing network segments—can serve as a temporary workaround.
For security teams trying to track the issue, CVE-2025-31161 should now be considered the correct identifier for the CrushFTP vulnerability. Outpost24 warns that the flaw is currently being exploited in the wild and urges urgent action to secure vulnerable systems.
