.png)
3 days ago
11 BOOK THIS SPACE FOR AD
ARTICLE ADCrushFTP's CEO is not happy with VulnCheck after the CVE numbering authority (CNA) released an unofficial ID for the critical vulnerability in its file transfer tech disclosed almost a week ago.
According to an email exchange between CrushFTP's Ben Spink and VulnCheck's CTO Jacob Baines, shared by the latter as a screenshot on X on Wednesday, Spink responded to the CNA aggressively after Baines sent an email about the issuance of CVE-2025-2825 (9.8).
Spink's response email purportedly read: "You don't know any details on this issue. Yours [CVE] will be deleted as a duplicate. You did not discover this. The real CVE is pending. Your reputation will go down if you do not voluntarily remove your fake item. It will be blatantly obvious when the real CVE is live since it literally explains in detail the vulnerability you know nothing about.
"Please note! Due to a recent vulnerability, make certain you are using either CrushFTP v10.8.4+ or v11.3.1. Anything earlier is unsafe!"
For context, CrushFTP told customers via email on March 21 about a critical vulnerability, prompting them to "take immediate action to patch ASAP." It also promised to generate a CVE "soon."
It is now six days later and a CVE from CrushFTP itself has not yet materialized.
Assigning CVEs for vulnerabilities in a timely manner is important for defenders so they can easily track and prioritize the issues affecting their IT estate. Withholding them can lead to confusion and delays for customers.
CrushFTP's own advisory for the vulnerability is behind a customer paywall and appears to contain information that conflicts with the emails sent by the company support team, which claim only CrushFTP v11 versions are affected. The advisory adds that v10 is also vulnerable.
The vulnerability itself, the severity of which wasn't specified in the customer email (shared by Rapid7), is an unauthenticated access bug that allows attackers to access file servers using specially crafted HTTP requests.
According to the exploitability assessment provided by VulnCheck, a remote attack would require no privileges or user interaction to carry out, and would be a low-complexity one at that.
The seasoned security pros among our readership won't need to be told that file transfer applications like CrushFTP are routinely targeted by ransomware groups since exploited vulnerabilities can lead to a trove of data that can be stolen and held for ransom.
Just think MOVEit, Cleo, GoAnywhere, and Accellion FTA – these are all examples of popular file transfer apps used by high-profile organizations that have been borked by baddies in recent years.
We can add CrushFTP to this list too. Although the current thinking is that the latest bug hasn't been exploited in the wild, a vulnerability from April 2024 was exploited as a zero-day.
There are perhaps 10,000 reasons to doubt Oracle Cloud's security breach denial Public-facing Kubernetes clusters at risk of takeover thanks to Ingress-Nginx flaw Mobsters now overlap with cybercrime gangs and use AI for evil, Europol warns Oracle Cloud says it's not true someone broke into its login servers and stole dataAccording to Rapid7's writeup, CrushFTP failed to issue a CVE for this one as well, so again a third party CNA stepped in, assigning it CVE-2024-4040.
The security vendor claimed that the vulnerability was "trivially exploitable" and allowed full admin access to file servers.
While CrushFTP doesn't list details of its customers in the public domain, it claims to have some high-profile organizations – including Fortune 100 companies – among its clientele, and thousands overall across different industries.
The Register asked the team behind the file transfer product for additional information and for comment on the CEO's remarks to VulnCheck, but it didn't immediately respond. ®
Bengali (Bangladesh) · 
English (United States) ·