CrushFTP Warns of HTTP(S) Port Vulnerability Enabling Unauthorized Access

Both CrushFTP, a popular file transfer technology, and Next.js, a widely used React framework for building web applications, have come under scrutiny due to significant vulnerabilities.

Rapid7 has highlighted these issues, emphasizing their potential impact on data security and unauthorized access.

Overview of Vulnerabilities

Next.js Vulnerability (CVE-2025-29927): 

This critical vulnerability involves improper authorization in middleware, potentially allowing attackers to bypass security checks within Next.js applications.

However, as of March 25, 2025, there are no reported instances of this vulnerability being exploited in the wild.

• Impact and Risk: CVE-2025-29927 arises from how middleware is handled in Next.js applications. By manipulating specific headers in requests, attackers might bypass authentication checks, though the impact is highly dependent on how individual applications configure their middleware.
• Mitigation and Updates: To mitigate this risk, developers should assess whether their applications rely solely on Next.js middleware for authentication. If so, updating to the latest versions of Next.js (e.g., 13.5.9, 14.2.25, 15.2.3) is crucial. Additionally, if applications use back-end APIs for server-side authentication, the vulnerability may not lead to unauthorized access.

CrushFTP Vulnerability: 

Although not yet assigned a CVE number, CrushFTP has disclosed an unauthenticated HTTP(S) port access vulnerability.

This issue could allow unauthorized access to sensitive data if not addressed promptly. Unlike the Next.js vulnerability, CrushFTP has faced previous exploitation, highlighting the urgency of securing against this threat.

• Impact and Risk: The disclosed vulnerability in CrushFTP, affecting versions 10 and 11, could allow unauthorized access via unauthenticated HTTP(S) ports. The risk is particularly concerning given CrushFTP’s past exploitation by adversaries seeking to access and exfiltrate sensitive data.
• Mitigation and Updates: CrushFTP customers are advised to upgrade to version 11.3.1 or later to resolve this vulnerability. Implementing the DMZ function within CrushFTP can also prevent exploitation, even without the update.

Both vulnerabilities underscore the importance of proactive security measures and timely updates to safeguard against potential threats, especially in technologies that have been targeted previously, like CrushFTP.

As neither vulnerability has been reported exploited in the wild as of now, organizations and developers have a critical window to address these issues before they could be exploited by malicious actors.

Are you from SOC/DFIR Teams? – Analyse Malware, Phishing Incidents & get live Access with ANY.RUN -> Start Now for Free.