CISA, experts warn of Crush file transfer attacks as ransomware gang makes threats

Federal cybersecurity officials as well as incident responders at cyber companies say hackers are exploiting a vulnerability within the popular file transfer tool Crush.

The warnings to customers of CrushFTP — used by thousands of companies to send and receive important data — have increased over the last two weeks, with the Cybersecurity and Infrastructure Security Agency (CISA) confirming on Monday that the bug is being exploited. 

Crush initially alerted customers on March 21, urging them to update their systems to the latest version. The bug, CVE-2025-31161, was discovered by researchers at Outpost24. 

Outpost24 contacted CrushFTP on March 13 and planned to wait 90 days before publicly disclosing the vulnerability — in an effort to give customers a chance to patch. 

But other researchers also discovered the bug and quickly filed their own CVE number for it, confusing defenders and publicizing critical information now used by attackers. 

“The vulnerability was responsibly disclosed by Outpost24. Someone else looking for some fame, it seems, managed to reverse engineer our changes that we had bundled up and published a public disclosure detailing the exploit method and taking credit for the vulnerability,” a spokesperson for CrushFTP told Recorded Future News. 

“The only credit they deserve is weaponizing the vulnerability before our end customers got around to updating. We have been pushing people to update as much as we can. Everyone on our security distribution list was notified.”

Cybercriminals say they have ‘sensitive data’

Over the last two weeks, defenders have warned that hackers are now exploiting the bug and on Monday, the Kill ransomware gang claimed it had "obtained significant volumes of sensitive data" by exploiting CVE-2025-31161. They said they will begin extorting victims immediately.

Outpost24 and multiple incident response companies confirmed that organizations are being attacked through the bug and both Shadowserver as well as Censys said there are hundreds of exposed CrushFTP instances on the internet. CISA gave federal agencies until April 28 to patch any instances of CrushFTP.

The CrushFTP spokesperson said now that the vulnerability is weaponized, the company will send another email urging customers to update their systems. 

“Outpost24 was delaying their publication to give people some time to update before releasing details for the very reason of what has just occurred,” they said. 

“Anyone unpatched needs to urgently patch. All recent v10 versions and all v11 versions were affected.”

The spokesperson noted that there are workarounds that mitigate the vulnerability but would not show up in internet scans, potentially skewing the number of unpatched servers seen by Shadowserver and Censys. 

Incident responders at Huntress said they have seen exploitation of the bug at four different companies in several industries including marketing, retail, and semiconductors.

CrushFTP is the latest file transfer software to face mass exploitation following repeated attacks on popular tools from Cleo, MOVEit, GoAnywhere and Accellion. Last Friday, American food manufacturing giant WK Kellogg confirmed that hackers stole employee information through the Cleo file transfer tool.