A newly disclosed important safety flaw in CrushFTP has come beneath energetic exploitation within the wild. Assigned the CVE identifier CVE-2025-54309, the vulnerability carries a CVSS rating of 9.0.
“CrushFTP 10 earlier than 10.8.5 and 11 earlier than 11.3.4_23, when the DMZ proxy function will not be used, mishandles AS2 validation and consequently permits distant attackers to acquire admin entry by way of HTTPS,” in keeping with a description of the vulnerability within the NIST’s Nationwide Vulnerability Database (NVD).
CrushFTP, in an advisory, mentioned it first detected the zero-day exploitation of the vulnerability within the wild on July 18, 2025, 9 a.m. CST, though it acknowledged that it might have been weaponized a lot earlier.
“The assault vector was HTTP(S) for the way they may exploit the server,” the corporate mentioned. “We had mounted a unique concern associated to AS2 in HTTP(S) not realizing {that a} prior bug may very well be used like this exploit was. Hackers apparently noticed our code change, and discovered a strategy to exploit the prior bug.”
CrushFTP is extensively utilized in authorities, healthcare, and enterprise environments to handle delicate file transfers, making administrative entry particularly harmful. A compromised occasion can enable attackers to exfiltrate knowledge, inject backdoors, or pivot into inside programs that depend on the server for trusted alternate. With out DMZ isolation, the uncovered occasion turns into a single level of failure.
The corporate mentioned the unknown risk actors behind the malicious exercise managed to reverse engineer its supply code and found the brand new flaw to focus on units which are but to be up to date to the newest variations. It is believed that CVE-2025-54309 was current in CrushFTP builds previous to July 1.
CrushFTP has additionally launched the next indicators of compromise (IoCs) –
- Default person has admin entry
- Lengthy random person IDs created (e.g., 7a0d26089ac528941bf8cb998d97f408m)
- Different new usernames created with admin entry
- The file “MainUsers/default/person.xml” was not too long ago modified and has a “last_logins” worth in it
- Buttons from the top person net interface disappeared, and customers beforehand recognized as common customers now have an Admin button
Safety groups investigating attainable compromise ought to assessment person.xml modification instances, correlate admin login occasions with public IPs, and audit permission adjustments on high-value folders. It is also important to search for suspicious patterns in entry logs tied to newly created customers or unexplained admin function escalations, that are typical indicators of post-exploitation conduct in real-world breach eventualities.
As mitigations, the corporate recommends that customers restore a previous default person from the backup folder, in addition to assessment add/obtain stories for any indicators of suspicious transfers. Different steps embrace –
- Restrict the IP addresses used for administrative actions
- Allowlist IPs that may hook up with the CrushFTP server
- Change to DMZ CrushFTP occasion for enterprise use
- Guarantee automated updates are enabled
At this stage, the precise nature of the assaults exploiting the flaw will not be identified. Earlier this April, one other safety defect in the identical answer (CVE-2025-31161, CVSS rating: 9.8) was weaponized to ship the MeshCentral agent and different malware.
Final yr, it additionally emerged {that a} second important vulnerability impacting CrushFTP (CVE-2024-4040, CVSS rating: 9.8) was leveraged by risk actors to focus on a number of U.S. entities.
With a number of high-severity CVEs exploited over the previous yr, CrushFTP has emerged as a recurring goal in superior risk campaigns. Organizations ought to take into account this sample as a part of broader risk publicity assessments, alongside patch cadence, third-party file switch dangers, and zero-day detection workflows involving distant entry instruments and credential compromise.
