Sunday, May 25, 2025
HomeCVE/vulnerabilityCrushFTP Warns of HTTP(S) Port Vulnerability Enabling Unauthorized Access

CrushFTP Warns of HTTP(S) Port Vulnerability Enabling Unauthorized Access

Published on

SIEM as a Service

Follow Us on Google News

Both CrushFTP, a popular file transfer technology, and Next.js, a widely used React framework for building web applications, have come under scrutiny due to significant vulnerabilities.

Rapid7 has highlighted these issues, emphasizing their potential impact on data security and unauthorized access.

Overview of Vulnerabilities

Next.js Vulnerability (CVE-2025-29927): 

- Advertisement - Google News

This critical vulnerability involves improper authorization in middleware, potentially allowing attackers to bypass security checks within Next.js applications.

However, as of March 25, 2025, there are no reported instances of this vulnerability being exploited in the wild.

  • Impact and Risk: CVE-2025-29927 arises from how middleware is handled in Next.js applications. By manipulating specific headers in requests, attackers might bypass authentication checks, though the impact is highly dependent on how individual applications configure their middleware.
  • Mitigation and Updates: To mitigate this risk, developers should assess whether their applications rely solely on Next.js middleware for authentication. If so, updating to the latest versions of Next.js (e.g., 13.5.9, 14.2.25, 15.2.3) is crucial. Additionally, if applications use back-end APIs for server-side authentication, the vulnerability may not lead to unauthorized access.

CrushFTP Vulnerability: 

Although not yet assigned a CVE number, CrushFTP has disclosed an unauthenticated HTTP(S) port access vulnerability.

This issue could allow unauthorized access to sensitive data if not addressed promptly. Unlike the Next.js vulnerability, CrushFTP has faced previous exploitation, highlighting the urgency of securing against this threat.

  • Impact and Risk: The disclosed vulnerability in CrushFTP, affecting versions 10 and 11, could allow unauthorized access via unauthenticated HTTP(S) ports. The risk is particularly concerning given CrushFTP’s past exploitation by adversaries seeking to access and exfiltrate sensitive data.
  • Mitigation and Updates: CrushFTP customers are advised to upgrade to version 11.3.1 or later to resolve this vulnerability. Implementing the DMZ function within CrushFTP can also prevent exploitation, even without the update.

Both vulnerabilities underscore the importance of proactive security measures and timely updates to safeguard against potential threats, especially in technologies that have been targeted previously, like CrushFTP.

As neither vulnerability has been reported exploited in the wild as of now, organizations and developers have a critical window to address these issues before they could be exploited by malicious actors.

Are you from SOC/DFIR Teams? – Analyse Malware, Phishing Incidents & get live Access with ANY.RUN -> Start Now for Free. 

Divya
Divya
Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Latest articles

Zero-Trust Policy Bypass Enables Exploitation of Vulnerabilities and Manipulation of NHI Secrets

A new project has exposed a critical attack vector that exploits protocol vulnerabilities to...

Threat Actor Sells Burger King Backup System RCE Vulnerability for $4,000

A threat actor known as #LongNight has reportedly put up for sale remote code...

Chinese Nexus Hackers Exploit Ivanti Endpoint Manager Mobile Vulnerability

Ivanti disclosed two critical vulnerabilities, identified as CVE-2025-4427 and CVE-2025-4428, affecting Ivanti Endpoint Manager...

Hackers Target macOS Users with Fake Ledger Apps to Deploy Malware

Hackers are increasingly targeting macOS users with malicious clones of Ledger Live, the popular...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Zero-Trust Policy Bypass Enables Exploitation of Vulnerabilities and Manipulation of NHI Secrets

A new project has exposed a critical attack vector that exploits protocol vulnerabilities to...

Threat Actor Sells Burger King Backup System RCE Vulnerability for $4,000

A threat actor known as #LongNight has reportedly put up for sale remote code...

Chinese Nexus Hackers Exploit Ivanti Endpoint Manager Mobile Vulnerability

Ivanti disclosed two critical vulnerabilities, identified as CVE-2025-4427 and CVE-2025-4428, affecting Ivanti Endpoint Manager...