Vulnerability crush: organisations are being exploited via CrushFTP in widespread cyber attack

‘CrushFTP’, a popular file-sharing platform, is the latest target in a recent trend in supply chain cyber attacks.

Recent threat intelligence reveals that threat actors are exploiting a critical vulnerability in the CrushFTP platform to exfiltrate data from end users’ environments. The threat group known as ‘Kill Security’ or ‘Kill’ ransomware group are the first to claim responsibility for exploitation of the vulnerability.

Given the number of organisations that rely on CrushFTP for both internal and external file transfers, the scale of this incident is expected to be significant and far-reaching.

Organisations should ensure that they patch to the latest version of CrushFTP, review any impact to their systems via the platform, including potential data exfiltration, and consider their potential legal and regulatory obligations in the event of a compromise.

Key takeaways

• Threat groups are exploiting a critical vulnerability in the file sharing platform, CrushFTP.
• The vulnerability allows attackers to bypass authentication, leading to access to the file transfer environment, including to the data held.
• Data is being exfiltrated from many user accounts by threat actors, which may then be used to hold an organisation to ransom.
• Organisations are encouraged to take remediation steps to update CrushFTP to the latest version, to conduct investigations to confirm whether the vulnerability has been exploited, and to consider whether any urgent legal and regulatory considerations arise.

Background

On 21 March 2025, CrushFTP announced a vulnerability affecting their file transfer platform (versions 10 and 11 in particular). The vulnerability, recorded as ‘CVE-2025-31161’, appears to allow for threat actors to bypass authentication processes, and exploit user accounts.

The threat group ‘Kill Security’ (or ‘Kill’ ransomware group) have already claimed responsibility for co-ordinating the early exploitation of this vulnerability, potentially impacting thousands of users. Reports suggest that the ‘Kill’ group claim to have ‘obtained significant volumes of sensitive data’, with a plan to start extorting their victims (i.e. the end users of the CrushFTP platform).

It is unclear when the vulnerability was first exploited and it cannot be ruled out that other threat groups aside from ‘Kill’ have also exploited the vulnerability too. What we do know is that our clients have reported having some of their data stolen as a result of the exploitation of the vulnerability towards the end of March and early April 2025.

Whilst it is still very early days, the ‘Kill’ group appear to be following a very similar attack method to the ‘Cl0p’ group when they breached the ‘MoveIT’ file transfer platform in 2023, before extorting individual users of the platform as secondary victims.

What are the legal and regulatory implications?

Organisations using CrushFTP need to consider the potential legal and regulatory obligations flowing from a potential compromise. The same considerations apply if an organisation shares data with a supplier or other third party which uses CrushFTP in the course of processing that data.

In particular, organisations should first determine whether any personal data was accessed or taken as a result of the potential exploitation of the vulnerability. If it is believed that such a breach has occurred, organisations should then conduct a risk assessment to determine whether a notification is required: to the data protection regulator (e.g. the ICO if you are in the UK), and (ii) to individuals whose personal data has been compromised.

It is important to be aware that different data protection regimes around the world may apply depending on the data in scope, and strict notification deadlines are also likely to apply (e.g. 72 hours under the UK and EU GDPR). There might also be industry specific regulatory obligation to navigate, depending on the nature of the impacted organisation’s business.

Comment

In short, organisations should urgently investigate whether any vulnerability in their CrushFTP platform has been exploited, and if so, consider whether a data breach has occurred. If it has, the organisation may need to notify regulators, including data protection regulators in the UK and worldwide, as well as any industry specific regulators, impacted employees, clients and/or other stakeholders.

If the MoveIT attack in 2023 is anything to go by, we should expect to see a growing number of extortion attempts and data leaks over the coming weeks. Organisations should act quickly to investigate and limit any potential impact.

Related article: When cyber criminals decide to MOVEit, MOVEit: Legal implications and remediation steps required