News and events Own Your Online External Link Report an incident
News and events Own Your Online External Link
  1. Welcome to CERT NZ
  2. Advisories
  3. CVE-2025-2825 affecting CrushFTP

CVE-2025-2825 affecting CrushFTP

Our advisories highlight current cyber security threats and vulnerabilities in New Zealand, and provide guidance on how to mitigate their impact.

Subscribe to our updates to be notified as soon as we publish an advisory.

11:20am, 3 April 2025

TLP Rating: Clear

CVE-2025-2825 affecting CrushFTP

CVE-2025-2825 is an authentication bypass vulnerability affecting CrushFTP that could allow a remote attacker to gain unauthorised access. The NCSC is aware of a proof of concept (PoC) that a threat actor could use to exploit this vulnerability. CrushFTP has made patches available.

What's happening

Systems affected

The vulnerability affects the following versions of CrushFTP: 

  • CrushFTP versions 10.0.0 through 10.8. 
  • CrushFTP versions 11.0.0 through 11.3.0

What this means

Organisations using affected CrushFTP versions could be vulnerable to the CVE.

What to do

Prevention

Update to one of the vendor advised CrushFTP versions.

More information

Vendor Advisory

Crush11wiki: Update External Link

CVE

CVE-2025-2825 External Link

If you require more information or further support, submit a report on our website or contact us on 0800 CERTNZ.

Report an incident to CERT NZ

For media enquiries, email our media desk at media@ncsc.govt.nz.