A major controversy has erupted in the cybersecurity community over a critical CrushFTP vulnerability — and now, two different CVEs are at the center of the confusion. While attackers actively exploit the flaw, the industry finds itself divided over which CVE is the correct one to track.
On March 21, developers of the CrushFTP enterprise file transfer tool revealed that both version 10 and 11 were impacted by a severe security flaw. This vulnerability allows attackers to bypass authentication and gain full administrative access to vulnerable servers — a worst-case scenario for organizations relying on CrushFTP for secure file transfers.
Two CVEs, One Flaw: The Timeline of Confusion
Initially, no CVE had been issued for the flaw. To fill the gap, security intelligence firm VulnCheck — a CVE Numbering Authority (CNA) since April 2023 — took the initiative and assigned the identifier CVE-2025-2825. VulnCheck stated it acted because no official CVE had appeared even five days after disclosure.
However, this move didn’t sit well with CrushFTP. The company pushed back, saying that an official CVE was already in the works. That identifier, CVE-2025-31161, was later assigned by Outpost24, the security firm that responsibly disclosed the vulnerability to CrushFTP in the first place.
Behind the Scenes: Why the Delay?
According to Outpost24, it had contacted MITRE — the organization managing CVE assignments — on March 13. The plan was to follow responsible disclosure guidelines and keep the details private for 90 days to prevent real-world attacks.
Unfortunately, MITRE only assigned CVE-2025-31161 on March 27. By that point, the industry had already adopted VulnCheck’s CVE-2025-2825 in public threat reports, exploit writeups, and vulnerability databases.
Outpost24 criticized VulnCheck for bypassing standard disclosure norms, failing to reach out to CrushFTP or itself before publishing the CVE, and neglecting to credit the original discoverer of the vulnerability.
Active Exploitation and Mounting Risk
The drama over CVE identifiers is more than just bureaucratic — the vulnerability is now being actively exploited in the wild.
Shortly after the flaw became public, cybersecurity researchers began publishing proof-of-concept (PoC) exploit code and sharing in-depth technical analyses. This exposure led to a surge in attack attempts, according to data from the Shadowserver Foundation.
At one point, there were over 1,800 internet-facing CrushFTP servers exposed to this attack vector. As of April 2, that number has dropped — but there are still hundreds of vulnerable instances, including more than 500 in the United States alone.
Patching Urged, But Blame Circulates
CrushFTP said it issued patches quickly through versions 11.3.1 and 10.8.4, along with recommended workarounds. However, the company blames the early release of technical details — and the actions of security researchers — for accelerating exploitation.
In a comment to SecurityWeek, CrushFTP accused certain cybersecurity firms of being “bad actors,” arguing that their eagerness to analyze and publicize the flaw led directly to its use in attacks.
What Are Attackers Doing With the Flaw?
It’s still unclear exactly how attackers are leveraging the vulnerability post-exploitation. The nature of the bug gives them administrative-level access, which could potentially be used to steal sensitive data, exfiltrate files, or pivot to deeper intrusions inside affected networks.
As security teams rush to apply patches, the issue also highlights a deeper challenge in the industry: disjointed CVE management, lack of coordination, and the growing tension between rapid public disclosure and responsible handling of high-risk vulnerabilities.
