Summary: The CVE controversy surrounding a CrushFTP vulnerability highlights the tensions between the vulnerability intelligence firm VulnCheck and CrushFTP regarding the assignment of CVEs. Following a critical vulnerability disclosure, two separate CVEs were assigned by different organizations, leading to confusion and exploitation attempts shortly after the flaw was publicized. Although patches were released, hundreds of vulnerable instances remain exposed while the debate over responsible disclosure continues.
Affected: CrushFTP
Keypoints :
- CrushFTP versions 10 and 11 are vulnerable to a critical flaw allowing remote hacking.
- Two CVEs (CVE-2025-2825 by VulnCheck and CVE-2025-31161 by Outpost24) were assigned for the same vulnerability, creating confusion in the security community.
- Exploitation attempts have been traced back to the flaw, affecting hundreds of instances still unpatched worldwide.
Views: 24