Public
- Public
- Network
- Groups
- Featured
- Popular
- People

VulnCheck has been a CVE Numbering Authority (CNA) since April 2023 and it is allowed to assign CVE identifiers to vulnerabilities found in software that is not specifically covered by other CNAs. However, CrushFTP was not happy with the decision, arguing that the “real CVE” had been pending. Indeed, roughly 10 days after disclosure, CrushFTP told SecurityWeek that the CVE for this vulnerability is CVE-2025-31161, which was assigned by Outpost24, the security firm credited for responsibly disclosing the flaw to the vendor.

Download link

VulnCheck has been a CVE Numbering Authority (CNA) since April 2023 and it is allowed to assign CVE identifiers to vulnerabilities found in software that is not specifically covered by other CNAs. However, CrushFTP was not happy with the decision, arguing that the “real CVE” had been pending. Indeed, roughly 10 days after disclosure, CrushFTP told SecurityWeek that the CVE for this vulnerability is CVE-2025-31161, which was assigned by Outpost24, the security firm credited for responsibly disclosing the flaw to the vendor.
https://media.infosec.exchange/infosec.exchange/media_attachments/files/114/279/568/311/468/701/original/c44506e0803e839c.jpeg

Notices where this attachment appears

Embed this notice
Will Dormann (wdormann@infosec.exchange)'s status on Friday, 04-Apr-2025 21:21:29 JST Will Dormann
in reply to

Apparently the CVE system is for bickering. 🤷♂️
https://www.securityweek.com/details-emerge-on-cve-controversy-around-exploited-crushftp-vulnerability/

In conversation about a day ago from infosec.exchange permalink