- A critical flaw was discovered in the CrushftP file transfer tool
- Experts claim that the question was abused in nature
- Cisa added the fault to its Kev catalog
A vulnerability of critical severity distressing the CruitftP file transfer software has been actively observed in the wild.
Earlier this month, it was reported that the software, commonly used by organizations to manage large-scale file transfers, contained a vulnerability of authentication bypass that allowed non-authenticated attackers to obtain administrative access.
By specifically targeting the Crushadmin account, threat actors could abuse the defect to completely compromise the target system.
Cisa adds it to Kev
The defect is now followed as CVE-2025-31161, and has received a gravity score of 9.8 / 10 (critic)
It affects the CRRSCFTPP versions 10 before 10.8.4 and 11 before 11.3.1. Users are strongly invited to update these versions immediately, and if they cannot, activation of the proxy DMZ instance can be used as a temporary bypass.
Security researchers warned that bugs were used in the wild to install remote management tools like Anydesk and Meshagent, The Hacker News reported.
Cisa also resumed the news, adding the bug to its known vulnerability catalog (KEV) known. This means that federal civilian management agencies (FCEB) have a deadline for three weeks (until April 28) to apply the patch or stop fully CrushftP.
Cybercriminals often target vulnerabilities of managed file transfer software, as they could allow access to sensitive corporate databases and databases. In fact, one of the most devastating cyber attacks in recent history occurred in 2023, when the Ransomware CL0P operator abused an SQL injection vulnerability previously unknown in the file transfer software managed by Moveit to violate hundreds of companies around the world.
A year before that, GoanyWhere MFT was violated and used to steal sensitive data at nearly 130 organizations, and in January 2024, the same software proved vulnerable to a lack of weak critical path traction.
