CyberSecurityBoard
Sponsor Register Login

CrushFTP HTTPS Port Vulnerability Leads to Unauthorized Access

As of March 25, 2025, neither vulnerability is known to have been exploited in the wild, but security professionals emphasize that rapid patching is essential given the critical nature of these file transfer systems and the history of similar vulnerabilities being targeted soon after disclosure. “The unauthorized port access vulnerability creates a significant security risk for organizations relying on CrushFTP for sensitive file transfers,” said a Rapid7 security analyst. InsightVM and Nexpose customers who run CrushFTP on Linux can assess their exposure to the unauthenticated HTTP(S) port access issue with vulnerability checks available since March 21, 2025. On March 21, 2025, CrushFTP developers disclosed this security flaw to customers via email, confirming that both version 10 and 11 installations are vulnerable if specific configurations are in place. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. File transfer technologies like CrushFTP are considered high-value targets for ransomware operators and threat actors seeking to access and exfiltrate sensitive organizational data quickly.

This Cyber News was published on cybersecuritynews.com. Publication date: Wed, 26 Mar 2025 14:30:15 +0000


Cyber News related to CrushFTP HTTPS Port Vulnerability Leads to Unauthorized Access

CrushFTP warns users to patch unauthenticated access flaw immediately - In November 2023, CrushFTP customers were also warned to patch a critical remote code execution vulnerability (CVE-2023-43177) in the company's enterprise suite after Converge security researchers who reported the flaw released a proof-of-concept ...
3 days ago Bleepingcomputer.com CVE-2023-43177
Exploit for CrushFTP RCE chain released, patch now - A proof-of-concept exploit was publicly released for a critical remote code execution vulnerability in the CrushFTP enterprise suite, allowing unauthenticated attackers to access files on the server, execute code, and obtain plain-text passwords. The ...
1 year ago Bleepingcomputer.com CVE-2023-43177
CrushFTP HTTPS Port Vulnerability Leads to Unauthorized Access - As of March 25, 2025, neither vulnerability is known to have been exploited in the wild, but security professionals emphasize that rapid patching is essential given the critical nature of these file transfer systems and the history of similar ...
3 days ago Cybersecuritynews.com
How to Clean Your Charging Port in 5 Easy Steps - Throughout the day, your phone accumulates debris, creating a barrier in the port and hindering a secure connection with your charger. Read on to learn how to clean a charging port in five easy steps. One of the most common causes of charging ...
1 year ago Pandasecurity.com
CVE-2024-38514 - NextChat v2.12.3 suffers from a Server-Side Request Forgery (SSRF) and Cross-Site Scripting vulnerability due to a lack of validation of the GET parameter on the WebDav API endpoint.The vulnerability exists because of the following code snippet ...
9 months ago Tenable.com
CVE-2024-26152 - ### Summary ...
1 year ago
Google Chrome now auto-upgrades to secure connections for all users - Google has taken a significant step towards enhancing Chrome internet security by automatically upgrading insecure HTTP requests to HTTPS requests for 100% of users. A limited rollout of this feature in Google Chrome began in July, but as of October ...
1 year ago Bleepingcomputer.com
CVE-2024-56670 - In the Linux kernel, the following vulnerability has been resolved: usb: gadget: u_serial: Fix the issue that gs_start_io crashed due to accessing null pointer Considering that in some extreme cases, when u_serial driver is accessed by multiple ...
3 months ago Tenable.com
CVE-2025-21746 - In the Linux kernel, the following vulnerability has been resolved: ...
1 month ago
CVE-2025-2825 - CrushFTP versions 10.0.0 through 10.8.3 and 11.0.0 through 11.3.0 are affected by a vulnerability that may result in unauthenticated access. Remote and unauthenticated HTTP requests to CrushFTP may allow attackers to gain unauthorized access. ...
3 days ago
CVE-2023-29193 - SpiceDB is an open source, Google Zanzibar-inspired, database system for creating and managing security-critical application permissions. The `spicedb serve` command contains a flag named `--grpc-preshared-key` which is used to protect the gRPC API ...
1 year ago
CVE-2023-22409 - An Unchecked Input for Loop Condition vulnerability in a NAT library of Juniper Networks Junos OS allows a local authenticated attacker with low privileges to cause a Denial of Service (DoS). When an inconsistent "deterministic NAT" ...
2 years ago
CVE-2025-21820 - In the Linux kernel, the following vulnerability has been resolved: ...
1 month ago
CVE-2022-49264 - In the Linux kernel, the following vulnerability has been resolved: ...
1 month ago
The Last Mile of Encrypting the Web: 2023 Year in Review - At the start of 2023, we sunsetted the HTTPS Everywhere web extension. It encrypted browser communications with websites and made sure users benefited from the protection of HTTPS wherever possible. HTTPS Everywhere ended because all major browsers ...
1 year ago Eff.org
The conundrum that is the modern use of NAT at a carrier grade level - The modern use of NAT poses a problem for both users and reputation vendors alike. Carrier Grade NAT is just NAT on a much larger scale. Not only does Mister X not have that IP, he has just one port on one IP for the duration of that connection and ...
1 year ago Spamhaus.org Silence
Most Advanced iPhone Exploit Ever, Google's $5 Billion Settlement, Apple's Journal App - In this episode, we discuss the most sophisticated iPhone exploit ever, Google's agreement to settle a $5 billion lawsuit about tracking users in 'incognito' mode, and a new iOS app, Journal. The iPhone exploit, known as Operation Triangulation, has ...
1 year ago Securityboulevard.com
The World of Scambaiting, Preventing Social Media Account Takeovers, Network Wrenches Hacked - In Episode 313, hosts Tom and Scott discuss the world of scambaiting, discussing what it is, the tactics used, and its effectiveness in stopping scammers. They talk about popular channels like Scammer Payback and Kitboga that show these scams in ...
1 year ago Securityboulevard.com
5 ways to secure identity and access for 2024 - 1 This increase is due in part to the rise of generative AI and large language models, which bring new opportunities and challenges for security professionals while affecting what we must do to secure access effectively. Learn how unified multicloud ...
1 year ago Microsoft.com
CVE-2024-39864 - The CloudStack integration API service allows running its unauthenticated API server (usually on port 8096 when configured and enabled via integration.api.port global setting) for internal portal integrations and for testing purposes. By default, the ...
8 months ago
CVE-2017-3635 - Vulnerability in the MySQL Connectors component of Oracle MySQL (subcomponent: Connector/C). Supported versions that are affected are 6.1.10 and earlier. Difficult to exploit vulnerability allows low privileged attacker with network access via ...
5 years ago
FCC adopts new rules to protect consumers from SIM-swapping attacks - The Federal Communications Commission has revealed new rules to shield consumers from criminals who hijack their phone numbers in SIM swapping attacks and port-out fraud. FCC's Privacy and Data Protection Task Force introduced the new regulations in ...
1 year ago Bleepingcomputer.com Scattered Spider
CVE-2023-41337 - h2o is an HTTP server with support for HTTP/1.x, HTTP/2 and HTTP/3. In version 2.3.0-beta2 and prior, when h2o is configured to listen to multiple addresses or ports with each of them using different backend servers managed by multiple entities, a ...
1 year ago Tenable.com
CVE-2020-1631 - A vulnerability in the HTTP/HTTPS service used by J-Web, Web Authentication, Dynamic-VPN (DVPN), Firewall Authentication Pass-Through with Web-Redirect, and Zero Touch Provisioning (ZTP) allows an unauthenticated attacker to perform local file ...
2 years ago
CVE-2023-52771 - In the Linux kernel, the following vulnerability has been resolved: cxl/port: Fix delete_endpoint() vs parent unregistration race The CXL subsystem, at cxl_mem ->probe() time, establishes a lineage of ports (struct cxl_port objects) between an ...
10 months ago Tenable.com

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)