CrushFTP Urges Immediate Patch for Critical Unauthenticated Access Vulnerability

CrushFTP has issued an urgent warning to its customers about a serious security flaw that could allow attackers to gain unauthorized access to servers exposed over HTTP(S). The company is advising all users to patch their systems immediately to prevent potential exploitation.

Unpatched Servers at Risk of Unauthorized Access

In an email sent to customers on March 21, 2025, CrushFTP emphasized the urgency of applying the latest security update. The vulnerability, which affects all versions of CrushFTP v11, allows unauthenticated attackers to access servers if they are exposed to the Internet via HTTP(S).

“All CrushFTP v11 versions were affected. (No earlier versions are affected.) A CVE will be generated soon,” the company stated in the email.

The flaw is particularly concerning because it can be exploited remotely without requiring authentication. However, the risk is mitigated if customers have enabled the DMZ feature in CrushFTP, which provides an additional security layer.

Conflicting Reports on Affected Versions

While CrushFTP’s initial advisory stated that only v11 was impacted, cybersecurity company Rapid7 pointed out that both v10 and v11 are affected. This discrepancy has raised concerns among users, prompting many to verify their version and assess their exposure risk.

To address the issue, CrushFTP released version 11.3.1+, which includes a patch for the vulnerability. For those unable to update immediately, enabling the DMZ perimeter network feature is recommended as a temporary workaround.

Thousands of Servers Exposed to Potential Attacks

Data from Shodan, a search engine that scans for Internet-exposed devices, indicates that more than 3,400 CrushFTP instances have their web interfaces accessible online. While it remains unclear how many of these servers have been patched, the risk of exploitation is significant.

This isn’t the first time CrushFTP users have faced security threats. In April 2024, the company patched a zero-day vulnerability (CVE-2024-4040) that was actively exploited to allow unauthorized file system access. That attack was linked to an intelligence-gathering campaign, with targets including multiple U.S. organizations.

A History of Targeted Attacks on File Transfer Software

CrushFTP is not the only file transfer solution that has been targeted by threat actors. Over the past few years, ransomware groups, particularly the Clop gang, have exploited vulnerabilities in similar platforms, including:

• MOVEit Transfer
• GoAnywhere MFT
• Accellion FTA
• Cleo software

These products are appealing to attackers because they often store and transfer sensitive data, making them lucrative targets for data theft and extortion.

Urgent Steps for CrushFTP Users

To protect their systems, CrushFTP users should take the following actions immediately:

1. Update to version 11.3.1+ to apply the latest security patch.
2. Enable the DMZ feature if an immediate update is not possible.
3. Restrict HTTP(S) access to only trusted sources to minimize exposure.
4. Monitor for unusual activity on CrushFTP instances to detect potential intrusions.

Given the history of attacks on file transfer solutions, organizations using CrushFTP should act swiftly to secure their environments before this vulnerability is actively exploited. Cybercriminals are constantly searching for new entry points, and unpatched systems remain prime targets.