Jonathan Greig reports on another vulnerability affecting file transfer software that has been exploited soon after disclosure. In this case, though, there’s some contentious statements about responsible disclosure or lack thereof.
Federal cybersecurity officials as well as incident responders at cyber companies say hackers are exploiting a vulnerability within the popular file transfer tool Crush.
The warnings to customers of CrushFTP — used by thousands of companies to send and receive important data — have increased over the last two weeks, with the Cybersecurity and Infrastructure Security Agency (CISA) confirming on Monday that the bug is being exploited.
Crush initially alerted customers on March 21, urging them to update their systems to the latest version. The bug, CVE-2025-31161, was discovered by researchers at Outpost24.
Outpost24 contacted CrushFTP on March 13 and planned to wait 90 days before publicly disclosing the vulnerability — in an effort to give customers a chance to patch.
But other researchers also discovered the bug and quickly filed their own CVE number for it, confusing defenders and publicizing critical information now used by attackers.
“The vulnerability was responsibly disclosed by Outpost24. Someone else looking for some fame, it seems, managed to reverse engineer our changes that we had bundled up and published a public disclosure detailing the exploit method and taking credit for the vulnerability,” a spokesperson for CrushFTP told Recorded Future News.
“The only credit they deserve is weaponizing the vulnerability before our end customers got around to updating. We have been pushing people to update as much as we can. Everyone on our security distribution list was notified.”
Read more at The Record.