News and events Own Your Online External Link Report an incident
News and events Own Your Online External Link
  1. Welcome to CERT NZ
  2. Advisories
  3. CVE-2025-31161 affecting CrushFTP - update

CVE-2025-31161 affecting CrushFTP - update

Our advisories highlight current cyber security threats and vulnerabilities in New Zealand, and provide guidance on how to mitigate their impact.

Subscribe to our updates to be notified as soon as we publish an advisory.

12:00pm, 8 April 2025

TLP Rating: Clear

CVE-2025-31161 affecting CrushFTP - update

The NCSC would like to note that CrushFTP CVE-2025-2825, identified in a previous advisory on 01/04/2025, is now being tracked as CVE-2025-31161.

CVE-2025-31161 is an authentication bypass vulnerability affecting CrushFTP that could allow a remote attacker to gain unauthorised access. The NCSC is aware of reports of active exploitation of this vulnerability.

CrushFTP has made patches available.

What's happening

Systems affected

The vulnerability affects the following versions of CrushFTP: 

  • CrushFTP versions 10.0.0 through 10.8.3
  • CrushFTP versions 11.0.0 through 11.3.0

What this means

Organisations using affected CrushFTP versions could be vulnerable to the CVE-2025-31161.

What to look for

How to tell if you're at risk

Update to one of the vendor advised CrushFTP versions.

More information

Vendor Advisory
https://www.crushftp.com/crush11wiki/Wiki.jsp?page=Update External Link  

If you require more information or further support, submit a report on our website or contact us on 0800 CERTNZ.
Report an incident to CERT NZ External Link

For media enquiries, email our media desk at media@ncsc.govt.nz.