CrushFTP chose the narrative over its customers

CrushFTP had a CVSS 9.8 pre-auth bypass in its hands, and its first instinct was to control who knew about it. The company quietly patched, privately emailed select customers, skipped the public advisory, and tried to sit on the details for 90 days. When an outside organization assigned a CVE, the CEO threatened their reputation. The result: two competing CVE identifiers for the same flaw, PoC exploit code circulating under the wrong one, and defenders trying to track a moving target while ransomware operators moved in. This is CrushFTP’s second KEV listing in twelve months.

What went wrong, and in what order

On March 13, 2025, researchers at Outpost24 found an authentication bypass in CrushFTP’s S3-compatible AWS4-HMAC-SHA256 handler. A malformed Authorization header with no SignedHeaders field causes an index-out-of-bounds exception in ServerSessionHTTP.java, which skips session cleanup after the server has already authenticated the user. Pre-auth, network-reachable, no user interaction. CVSS 9.8. Affected versions: CrushFTP 10.0.0 through 10.8.3 and 11.0.0 through 11.3.0.

Outpost24 contacted MITRE for a CVE assignment and started coordinated disclosure with CrushFTP. Both sides agreed to a 90-day non-disclosure window. Standard practice, in theory.

On March 21, CrushFTP released patches (10.8.4 and 11.3.1) and emailed customers privately. No public advisory. No CVE ID attached. The initial email referenced only version 11, leaving version 10 customers unsure whether they were affected. From CrushFTP’s perspective, this was orderly. From the outside, it was a critical vulnerability with a silent fix and no public tracking identifier.

Five days later, VulnCheck, a CNA since April 2023, independently assigned CVE-2025-2825 to the flaw. They did not contact CrushFTP or Outpost24, and did not credit the original discoverers. Within days, ProjectDiscovery and Rapid7 published technical writeups and working proof-of-concept code under VulnCheck’s CVE identifier. The vulnerability was now public, armed, and tracked under a CVE that would later be rejected.

On March 27, MITRE assigned CVE-2025-31161, the identifier Outpost24 had originally requested. This is the point where CrushFTP’s CEO, Ben Spink, publicly confronted VulnCheck: “You don’t know any details on this issue. Yours will be deleted as a duplicate. Your reputation will go down if you do not voluntarily remove your fake item.”

VulnCheck’s Patrick Garrity responded by accusing CrushFTP of trying to “hide the vulnerability from the security community and defenders.”

VulnCheck was wrong to assign without coordination. CrushFTP was wrong to treat a CVSS 9.8 pre-auth bypass as something that could wait 90 days with no public advisory. Those two wrongs did not cancel. They compounded. Defenders got the worst of both: a disclosure process that produced PoC code before it produced a usable tracking identifier.

Two CVEs, one bug, and attackers who don’t wait

By March 30, Shadowserver reported active exploitation scanning targeting roughly 1,500 vulnerable CrushFTP instances. By April 3, Huntress confirmed hands-on-keyboard exploitation at five hosts across five separate companies. Three of those five victims shared the same managed service provider.

The attack chain was efficient: authenticate as admin via the bypass, create backdoor accounts with backdated timestamps, deploy remote management tools (AnyDesk, MeshCentral, SimpleHelp), dump the SAM and SYSTEM registry hives, and phone home through a Telegram bot for command and control. The Kill ransomware gang later claimed data theft and extortion via CVE-2025-31161. Affected sectors included marketing, retail, and semiconductors.

On April 4, MITRE formally rejected CVE-2025-2825 and removed it from both CVE.org and the NVD. By that point, defenders had spent nine days tracking two CVE identifiers for the same vulnerability, with PoC code indexed under the one that no longer existed.

CISA added CVE-2025-31161 to its Known Exploited Vulnerabilities catalog on April 7, with a remediation deadline of April 28. Censys data showed 7,524 total CrushFTP instances on the internet, with 815 still unpatched by April 6.

Why it happened

CrushFTP made a calculation. If they could patch quietly, notify customers through private channels, and keep the details suppressed for three months, they could control the timeline. No public advisory means no headlines. No CVE means no one building detections or scanning for it.

This calculation has a name. It is called “security through obscurity,” and it has a perfect track record of failing.

The 90-day non-disclosure window exists to give vendors time to develop and distribute a patch before details go public. It does not exist to give vendors time to avoid public accountability for the flaw. CrushFTP had already shipped the fix on March 21. The patch was in customers’ hands. The only thing a continued embargo protected was the appearance that nothing had been wrong.

When VulnCheck broke the silence, CrushFTP’s CEO responded not by issuing a public advisory, but by threatening VulnCheck’s reputation. That tells you where the priority was. Not on getting defenders the tracking identifier they needed to build detections. Not on confirming that version 10 was also affected. On making sure the story stayed quiet.

The pattern

This is CrushFTP’s second appearance in CISA’s KEV catalog in twelve months. CVE-2024-4040, a VFS sandbox escape, landed on the KEV in April 2024. CVE-2025-31161 followed in April 2025. Two critical, actively exploited vulnerabilities in consecutive years is not bad luck. It is a pattern, and it points to unresolved problems in the development process that no amount of narrative management will fix.

CrushFTP is also not the first managed file transfer product to end up here. Accellion, GoAnywhere, MOVEit, Cleo. Intel 471 found that 47% of high-interest MFT CVEs eventually get weaponized. MFT products sit on the network perimeter, handle sensitive data, and run with high privileges. They are exactly the kind of software that needs to be built and maintained with that target profile in mind.

What to actually expect

If you run CrushFTP, patch to 10.8.4 or 11.3.1 immediately. If patching is delayed, CrushFTP’s DMZ proxy mode blocks the exploit as a workaround. Audit for backdoor admin accounts, especially any with timestamps that predate the patch. Look for unexpected RMM tools. Check for SAM/SYSTEM registry access.

Longer term, treat CrushFTP’s disclosure posture as a risk factor in your vendor assessment. A vendor that responds to a critical vulnerability by threatening researchers and suppressing public advisories is telling you something about how the next one will go.

PatchDay Alert tracks KEV additions daily and flags repeat offenders. When the same product shows up twice in twelve months, that is not a data point to file away. It is a procurement conversation.

CrushFTP had every opportunity to handle this well. Outpost24 gave them coordinated disclosure. MITRE gave them a CVE. The patch was ready. All they had to do was publish an advisory and let defenders do their jobs. Instead, they chose the narrative. The attackers chose the gap.