Source URL: https://www.theregister.com/2025/03/27/crushftp_cve/
Source: The Register
Title: CrushFTP CEO’s feisty response to VulnCheck’s CVE for critical make-me-admin bug
Feedly Summary: Screenshot shows company head unhappy, claiming ‘real CVE is pending’
CrushFTP’s CEO is not happy with VulnCheck after the CVE numbering authority (CNA) released an unofficial ID for the critical vulnerability in its file transfer tech disclosed almost a week ago.…
AI Summary and Description: Yes
Summary: The recent controversy involving CrushFTP and VulnCheck highlights significant concerns regarding vulnerability disclosure processes and security practices in file transfer technologies. The primary issue revolves around delayed CVE issuance, which hinders effective vulnerability tracking—a crucial aspect for IT security professionals.
Detailed Description:
The text outlines an ongoing dispute between CrushFTP and VulnCheck regarding the management and disclosure of a critical vulnerability in CrushFTP’s file transfer technology. The situation raises important issues on vulnerability disclosure and its implications for security and compliance professionals.
– **Key Players**:
– **CrushFTP**: A provider of file transfer solutions. Its CEO, Ben Spink, expressed dissatisfaction with VulnCheck’s unofficial CVE ID assignment.
– **VulnCheck**: A security firm that assigns CVEs and conducted an assessment of the vulnerability.
– **Context of the Vulnerability**:
– A critical vulnerability was publicly announced by CrushFTP, urging users to patch their systems immediately, yet no official CVE had been released by CrushFTP within a week.
– VulnCheck assigned an unofficial CVE (CVE-2025-2825) linked to the vulnerability.
– **Importance of Timely CVE Issuance**:
– Timeliness in the issuance of CVEs is critical to allow security teams to track, prioritize, and mitigate vulnerabilities without unnecessary delays.
– The withholding of CVEs can lead to confusion among customers and increased risk.
– **Nature of the Vulnerability**:
– The vulnerability described is an unauthenticated access bug that, if exploited, could allow attackers to access file servers via specially crafted HTTP requests.
– The exploitation requires no privileges or user interaction, categorizing it as low-complexity and potentially high-impact.
– **Historical Context of Vulnerabilities**:
– Previous incidents, such as exploited vulnerabilities in similar file transfer applications (e.g., MOVEit, Cleo, GoAnywhere, Accellion FTA), illustrate the heightened risks for such technologies, emphasizing the need for reliable security practices.
– **Conflicting Information**:
– The advisory from CrushFTP seems to contain information that conflicts with earlier customer communications, raising further concerns about the company’s transparency and responsiveness regarding security issues.
This incident is a pertinent reminder for security professionals about the need for:
– **Reliable Vulnerability Disclosure**: Ensuring timely and accurate information flow about vulnerabilities within organizations.
– **Crisis Communication**: The importance of clear and consistent messaging to avoid confusion among users regarding vulnerability impacts.
– **Exploit Awareness**: Understanding the potential for attacks on file transfer applications, particularly given their appeal to ransomware groups, calls for vigilance and ongoing monitoring of such systems.
Overall, the CrushFTP situation underscores critical lessons in vulnerability management and the implications of security disclosure practices in maintaining trust among users and stakeholders.