A tale of two CVEs: Dispute over CrushFTP’s recent vulnerability

A serious security vulnerability in CrushFTP versions 10 and 11 has been actively exploited in the wild, potentially allowing unauthenticated threat actors to bypass authentication and gain administrative access to execute malicious actions, steal sensitive data, or further compromise the system. The flaw resides in the software's authentication process, specifically in the way CrushFTP handles user validation.

The vulnerability was publicly disclosed by CrushFTP on March 21, 2025, following reports of active exploitation, and the company quicky released patched versions 10.8.4 and 11.3.1 to address it.

However, a controversy emerged over the issuance of the vulnerability’s Common Vulnerabilities and Exposures (CVE) assignment. Two different CVEs were issued:

• CVE-2025-2825: Assigned by security firm VulnCheck on March 26, 2025, after five days had passed without an official CVE being published.
• CVE-2025-31161: Assigned by MITRE on March 27, 2025, following a request from security company Outpost24, which had initially reported the flaw to MITRE on March 13, 2025.

Stay on top of emerging threats.

Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities. 

Sign up

This dual CVE assignment has caused confusion among researchers and security teams regarding which identifier should be used.

Outpost24, which originally discovered the vulnerability, had planned for a responsible disclosure with a 90-day delay to allow time for mitigation before public exposure. However, once evidence of real-world exploitation surfaced, the decision was made to disclose the details earlier to ensure users could take defensive action.

CrushFTP maintains that the appropriate CVE designation for the vulnerability is CVE-2025-31161 and it credits Outpost24 with discovering and responsibly disclosing it. Impacted users are urged to update to the latest patched versions immediately to prevent potential breaches.

Source: SecurityWeek

Analysis

CrushFTP has a history of patching zero-day vulnerabilities before they can be issued CVE designations. For example, in April 2024, CrushFTP patched an actively exploited zero-day vulnerability, which was yet to be assigned a CVE designation, that could enable an unauthenticated threat actor to escape the WebInterface’s virtual file system and download potentially sensitive system files. This CVE was later designated CVE-2024-4040.

While it is rare, the issuance of two CVEs could cause delays in patching, as security teams might struggle with which CVE to track and apply patches for, potentially missing updates or misidentifying the severity of the vulnerability.

In this case, the double designation happened because VulnCheck assigned the vulnerability a CVE of its own after several days passed without an official one, while MITRE followed their own processes to assign a CVE. Ideally, better coordination and communication between organizations issuing CVEs could help avoid such issues, ensuring that users can act more swiftly in addressing security risks.

MITRE will no doubt be reviewing the details of this incident and updating its procedures accordingly to make sure such a scenario doesn’t happen again.

Mitigation

Field Effect’s Security Intelligence professionals constantly monitor the cyber threat landscape for vulnerabilities discovered in utilities like CrushFTP. Field Effect MDR users are automatically notified if vulnerable software is detected in their environment and are encouraged to review these AROs as quickly as possible via the Field Effect Portal.

Field Effect strongly recommends users of the affected versions of CrushFTP to update to the latest version as soon as possible, in accordance with the advisory.

Related Articles

• CrushFTP quickly patches zero-day vulnerability
• Patch CrushFTP servers to flatten risk of exploit