CrushFTP has warned users to patch an unauthenticated access flaw immediately, affecting all v11 versions. The vulnerability enables attackers to gain unauthorized access to unpatched CrushFTP v11 servers, particularly those with exposed HTTP(S) ports.
CrushFTP’s Unauthenticated Access Flaw Warning
CrushFTP, a widely used file transfer protocol server, has recently issued a critical warning to its users, urging them to patch an unauthenticated access flaw immediately. This warning addresses a significant security vulnerability that affects all versions of v11, with potential implications for v10 as well.
On March 21, 2025, the company emailed customers, warning of an unauthenticated HTTP(S) port access vulnerability. The email emphasized the urgency, stating, “Please take immediate action to patch ASAP. A vulnerability has been addressed today (March 21st, 2025). All CrushFTP v11 versions were affected. (No earlier versions are affected.) A CVE will be generated soon.”
CrushFTP Flaw Description
The vulnerability is described as an unauthenticated HTTP(S) port access flaw. This means attackers can potentially gain access to unpatched servers without authentication if the HTTP(S) port is exposed on the internet. This is particularly dangerous for servers accessible online, as it could lead to unauthorized access, data exfiltration, or further exploitation. The bottom line of this vulnerability is that an exposed HTTP(S) port could lead to unauthenticated access.
The severity is underscored by the potential for ransomware and other adversaries to target file transfer technologies. This vulnerability is especially concerning given historical exploitation of similar flaws in CrushFTP, such as the 2024 zero-day (CVE-2024-4040), which allowed complete server compromise.
It will hapdly be different this time, especially considering the availability of the PoC exploit on GitHub. It was posted merely hours after the original disclosure from the developers, and will surely act as an additional push for this flaw exploitation.
Mitigation and Patch Details
To address this flaw, CrushFTP released version 11.3.1. The change log, accessible via version history, mentions an “Authentication fix” for v11.3.1. Users are urged to update immediately, without waiting for regular patch cycles.
An important mitigation strategy is the use of the DMZ feature. This is particularly relevant for users with exposed servers, as it reduces the attack surface. For users still on older versions, the update process involves downloading the latest version from CrushFTP download, with options for Java21 and without Java17, ensuring compatibility across platforms.
The email notification explicitly states that no earlier versions than v11 are affected, focusing solely on v11. However, the advisory’s mention of v10 in some sources, introduces uncertainty. Given the lack of specific patch information for v10 in the recent updates, it seems that the focus is on v11. So, v10 users need to ensure they are on the latest patch for previous vulnerabilities, such as those addressed in v10.7.1 and v11.1.0 for CVE-2024-4040.
Users should prioritize updating to v11.3.1, ensuring their servers are not exposed to the internet without the DMZ feature. For those unsure of their version, checking the dashboard on the CrushFTP website and following the upgrade guide is recommended.
