CyberSecurityBoard
Sponsor Register Login

CrushFTP HTTPS Port Vulnerability Leads to Unauthorized Access

As of March 25, 2025, neither vulnerability is known to have been exploited in the wild, but security professionals emphasize that rapid patching is essential given the critical nature of these file transfer systems and the history of similar vulnerabilities being targeted soon after disclosure. “The unauthorized port access vulnerability creates a significant security risk for organizations relying on CrushFTP for sensitive file transfers,” said a Rapid7 security analyst. InsightVM and Nexpose customers who run CrushFTP on Linux can assess their exposure to the unauthenticated HTTP(S) port access issue with vulnerability checks available since March 21, 2025. On March 21, 2025, CrushFTP developers disclosed this security flaw to customers via email, confirming that both version 10 and 11 installations are vulnerable if specific configurations are in place. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. File transfer technologies like CrushFTP are considered high-value targets for ransomware operators and threat actors seeking to access and exfiltrate sensitive organizational data quickly.

This Cyber News was published on cybersecuritynews.com. Publication date: Wed, 26 Mar 2025 14:30:15 +0000


Cyber News related to CrushFTP HTTPS Port Vulnerability Leads to Unauthorized Access

CrushFTP warns users to patch unauthenticated access flaw immediately - In November 2023, CrushFTP customers were also warned to patch a critical remote code execution vulnerability (CVE-2023-43177) in the company's enterprise suite after Converge security researchers who reported the flaw released a proof-of-concept ...
2 months ago Bleepingcomputer.com CVE-2023-43177
Critical auth bypass bug in CrushFTP now exploited in attacks - CrushFTP customers were also warned to patch a critical remote code execution bug (CVE-2023-43177) in the company's enterprise suite in November 2023 after Converge security researchers (who discovered and reported the flaw) released a ...
2 months ago Bleepingcomputer.com CVE-2023-43177
Exploit for CrushFTP RCE chain released, patch now - A proof-of-concept exploit was publicly released for a critical remote code execution vulnerability in the CrushFTP enterprise suite, allowing unauthenticated attackers to access files on the server, execute code, and obtain plain-text passwords. The ...
1 year ago Bleepingcomputer.com CVE-2023-43177
CrushFTP HTTPS Port Vulnerability Leads to Unauthorized Access - As of March 25, 2025, neither vulnerability is known to have been exploited in the wild, but security professionals emphasize that rapid patching is essential given the critical nature of these file transfer systems and the history of similar ...
2 months ago Cybersecuritynews.com
CISA, experts warn of Crush file transfer attacks as ransomware gang makes threats | The Record from Recorded Future News - Someone else looking for some fame, it seems, managed to reverse engineer our changes that we had bundled up and published a public disclosure detailing the exploit method and taking credit for the vulnerability,” a spokesperson for CrushFTP told ...
2 months ago Therecord.media CVE-2025-31161
CISA Warns of CrushFTP Authentication Bypass Vulnerability Exploited in Attacks - As file transfer applications remain attractive targets for threat actors, organizations should maintain vigilance and promptly apply security updates to mitigate potential compromise through this critical vulnerability. Designated as CVE-2025-31161, ...
2 months ago Cybersecuritynews.com CVE-2025-31161
How to Clean Your Charging Port in 5 Easy Steps - Throughout the day, your phone accumulates debris, creating a barrier in the port and hindering a secure connection with your charger. Read on to learn how to clean a charging port in five easy steps. One of the most common causes of charging ...
1 year ago Pandasecurity.com
CrushFTP Vulnerability Exploited to Bypass Authentication - CrushFTP addressed this vulnerability in version 11.3.1 by adding a new security parameter s3_auth_lookup_password_supported set to false by default and implementing proper security checks in the authentication flow. A critical vulnerability ...
2 months ago Cybersecuritynews.com CVE-2025-2825
CVE-2025-41233 - Description: ...
1 week ago
CVE-2024-38514 - NextChat v2.12.3 suffers from a Server-Side Request Forgery (SSRF) and Cross-Site Scripting vulnerability due to a lack of validation of the GET parameter on the WebDav API endpoint.The vulnerability exists because of the following code snippet ...
11 months ago Tenable.com
CVE-2024-26152 - ### Summary ...
1 year ago
Google Chrome now auto-upgrades to secure connections for all users - Google has taken a significant step towards enhancing Chrome internet security by automatically upgrading insecure HTTP requests to HTTPS requests for 100% of users. A limited rollout of this feature in Google Chrome began in July, but as of October ...
1 year ago Bleepingcomputer.com
CVE-2023-53048 - In the Linux kernel, the following vulnerability has been resolved: ...
1 month ago
CVE-2024-56670 - In the Linux kernel, the following vulnerability has been resolved: usb: gadget: u_serial: Fix the issue that gs_start_io crashed due to accessing null pointer Considering that in some extreme cases, when u_serial driver is accessed by multiple ...
5 months ago Tenable.com
CVE-2025-21746 - In the Linux kernel, the following vulnerability has been resolved: ...
3 months ago
CVE-2023-29193 - SpiceDB is an open source, Google Zanzibar-inspired, database system for creating and managing security-critical application permissions. The `spicedb serve` command contains a flag named `--grpc-preshared-key` which is used to protect the gRPC API ...
2 years ago
CVE-2023-22409 - An Unchecked Input for Loop Condition vulnerability in a NAT library of Juniper Networks Junos OS allows a local authenticated attacker with low privileges to cause a Denial of Service (DoS). When an inconsistent "deterministic NAT" ...
2 years ago
CVE-2025-21820 - In the Linux kernel, the following vulnerability has been resolved: ...
3 months ago
CVE-2025-6087 - A Server-Side Request Forgery (SSRF) vulnerability was identified in the @opennextjs/cloudflare package. The vulnerability stems from an unimplemented feature in the Cloudflare adapter for Open Next, which allowed unauthenticated users to proxy ...
1 week ago
CVE-2022-49264 - In the Linux kernel, the following vulnerability has been resolved: ...
3 months ago
The Last Mile of Encrypting the Web: 2023 Year in Review - At the start of 2023, we sunsetted the HTTPS Everywhere web extension. It encrypted browser communications with websites and made sure users benefited from the protection of HTTPS wherever possible. HTTPS Everywhere ended because all major browsers ...
1 year ago Eff.org
The conundrum that is the modern use of NAT at a carrier grade level - The modern use of NAT poses a problem for both users and reputation vendors alike. Carrier Grade NAT is just NAT on a much larger scale. Not only does Mister X not have that IP, he has just one port on one IP for the duration of that connection and ...
1 year ago Spamhaus.org Silence
Most Advanced iPhone Exploit Ever, Google's $5 Billion Settlement, Apple's Journal App - In this episode, we discuss the most sophisticated iPhone exploit ever, Google's agreement to settle a $5 billion lawsuit about tracking users in 'incognito' mode, and a new iOS app, Journal. The iPhone exploit, known as Operation Triangulation, has ...
1 year ago Securityboulevard.com
The World of Scambaiting, Preventing Social Media Account Takeovers, Network Wrenches Hacked - In Episode 313, hosts Tom and Scott discuss the world of scambaiting, discussing what it is, the tactics used, and its effectiveness in stopping scammers. They talk about popular channels like Scammer Payback and Kitboga that show these scams in ...
1 year ago Securityboulevard.com
Port of Seattle says ransomware breach impacts 90,000 people - ​Port of Seattle, the U.S. government agency overseeing Seattle's seaport and airport, is notifying roughly 90,000 individuals of a data breach after their personal information was stolen in an August 2024 ransomware attack. The agency ...
2 months ago Bleepingcomputer.com Rhysida

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)