While security researchers were busy hunting for the next big vulnerability, a critical flaw in CrushFTP quietly put thousands of servers at risk. The unauthenticated HTTP(S) port access vulnerability, disclosed on March 25, 2025, allows attackers to gain complete access to unpatched servers without breaking a sweat. No fancy hacking tools required – just point and click your way to admin access. Fun times.
Over 3,400 CrushFTP instances are currently exposed online. That’s not just a few servers – that’s thousands of potential targets for anyone with basic technical skills and questionable ethics. The vulnerability affects both CrushFTP version 10 (before 10.7.1) and version 11 (before 11.1.0), as well as all legacy version 9 installations. Older isn’t always better, folks.
With thousands of vulnerable CrushFTP servers exposed online, hackers don’t need elite skills—just outdated versions to exploit.
What makes this particularly concerning? The flaw allows arbitrary file read as root, authentication bypass, and full remote code execution. Translation: attackers can read your files, bypass your security, and run whatever code they want on your system. It’s basically handing over the keys to your digital kingdom. Small businesses are especially vulnerable, as small business targets account for 43% of all cyber attacks, with many lacking proper security measures.
Security history seems to repeat itself with CrushFTP. This isn’t their first rodeo with critical vulnerabilities. In April 2024, CVE-2024-4040 allowed unauthenticated access to system files, and back in November 2023, CVE-2023-43177 enabled remote code execution. Similar to these past issues, CVE-2023-48795 with its CVSS score of 10.0 represents the highest possible severity rating for vulnerabilities. The vulnerability is particularly dangerous because it enables attackers to leverage an AS2 header parsing vulnerability to gain control of Java Properties. File transfer products like CrushFTP are prime targets for ransomware gangs. They just can’t seem to catch a break.
The fix is straightforward – update to CrushFTP v10.7.1 or v11.1.0 immediately. Don’t wait for your regular patch cycle. The vendor’s patch effectively addresses the issue, though the DMZ feature isn’t guaranteed to provide complete protection.
No CVE has been assigned yet, but that doesn’t make the threat any less real. Detection tools are available for Linux in InsightVM/Nexpose, and Shodan queries can identify exposed instances.
Bottom line: patch now or prepare for unwelcome visitors. Your choice.
