Attacks involving critical CrushFTP vulnerability target several sectors

Vulnerable CrushFTP file transfer software instances impacted by the critical authentication bypass flaw CVE-2025-31161, which was previously tracked as CVE-2025-2825, have been targeted to compromise four organizations in the retail, marketing, and semiconductor sectors, three of which had the same managed service provider, according to SecurityWeek.

Most of the intrusions involved the exploitation of the vulnerability to facilitate the delivery of the MeshAgent open-source remote monitoring tool and a DLL file that indicated Telegram bot utilization for breached host telemetry gathering while one attack entailed AnyDesk installation before the deployment of SAM and System registry hives for credential compromise, a report from Huntress revealed. Ongoing abuse of the security issue which CrushFTP developers have blamed on VulnCheck's premature CVE designation has prompted its inclusion in the Cybersecurity and Infrastructure Security Agency's Known Exploited Vulnerabilities catalog on Monday. However, such attacks were reported by the Shadowserver Foundation to have declined since fixes were issued on Mar. 21.