CrushFTP, a popular file transfer server software, has a critical authentication bypass vulnerability (CVE-2025-2825/CVE-2025-31161) affecting versions 10.0.0-10.8.3 and 11.0.0-11.3.0. The flaw allows unauthenticated attackers to gain unauthorized server access through exposed HTTP(S) ports, potentially leading to data theft and system compromise. Active exploitation has been observed, with over 1,500 unpatched instances vulnerable. Users are strongly advised to update to versions 10.8.4 or 11.3.1 immediately to mitigate the risk.
What’s new on HivePro
Get through updates and upcoming events, and more directly in your inbox