Securitee

 CrushFTP is reported to have an 'Unprotected Alternate Channel' vulnerability, that has been exploited in the wild as per CISA. This type of vulnerability, whose scope is access control, is about the security of an alternate channel not being at the same level as the primary channel. The primary channel here is validation of an AS2 protocol message while the alternate channel that allows for access is HTTPS. The CISA report came on July 22 2025, four days after a report by the vendor and Rapid7. The affected versions in the 'managed file transfer' product are those before 10.8.5 in CrushFTP 10 and those before 11.3.4_23 in CrushFTP 11. While the vendor has stated that the vulnerability does not arise if DMZ proxy feature is used, Rapid7 has advised against relying on that protection.

 The US Cybersecurity and Infrastructure Security Agency has alerted on exploitation of a 'NUL Character vulnerability' in Wing FTP Server. The vulnerability exists in versions of the product before 7.4.4. It is a critical vulnerability with CVSS score of 10.0.