CrushFTP HTTPS Port Vulnerability Leads to Unauthorized Access

Two critical vulnerabilities have been identified in widely used software: CrushFTP and Next.js. CrushFTP, a file transfer solution, contains a vulnerability allowing unauthorized access through standard web ports, bypassing security measures. 

Additionally, Next.js, a popular React framework, suffers from CVE-2025-29927, which enables attackers to circumvent authorization checks in middleware. 

Both vulnerabilities pose significant risks, potentially exposing sensitive data and compromising application security.

On March 21, 2025, CrushFTP developers disclosed this security flaw to customers via email, confirming that both version 10 and 11 installations are vulnerable if specific configurations are in place.

According to the vendor’s advisory, this particular vulnerability does not exploit systems utilizing CrushFTP’s DMZ functionality.

“The unauthorized port access vulnerability creates a significant security risk for organizations relying on CrushFTP for sensitive file transfers,” said a Rapid7 security analyst.

Stop attacks before they start, powered by a 97% precise neural Network to Detect Cyber Attacks 

“The vulnerability allows attackers to potentially gain initial access without authentication, which represents a critical security breakdown.”

File transfer technologies like CrushFTP are considered high-value targets for ransomware operators and threat actors seeking to access and exfiltrate sensitive organizational data quickly. 

This is particularly concerning as CrushFTP has previously been targeted by adversaries for similar purposes.

Technical Mitigation Steps

The vulnerability has been patched in CrushFTP version 11.3.1 and later releases. Security professionals recommend immediate updates without waiting for regular patch cycles. 

The fix addresses the core HTTP(S) port handling mechanism that allowed the unauthorized access vector.

Security code implementation should include:

Organizations using CrushFTP should immediately:

• Update to CrushFTP v11.3.1 or later
• Implement proper DMZ functionality if an update is delayed
• Review access logs for potential unauthorized access attempts
• Conduct security audits of file transfer infrastructure

Rapid7 has released detection capabilities for both vulnerabilities in its security products. 

InsightVM and Nexpose customers who run CrushFTP on Linux can assess their exposure to the unauthenticated HTTP(S) port access issue with vulnerability checks available since March 21, 2025.

As of March 25, 2025, neither vulnerability is known to have been exploited in the wild, but security professionals emphasize that rapid patching is essential given the critical nature of these file transfer systems and the history of similar vulnerabilities being targeted soon after disclosure.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free