A newly disclosed crucial security flaw in CrushFTP has come below lively exploitation within the wild. Assigned the CVE identifier CVE-2025-54309, the vulnerability carries a CVSS rating of 9.0.
“CrushFTP 10 earlier than 10.8.5 and 11 earlier than 11.3.4_23, when the DMZ proxy function will not be used, mishandles AS2 validation and consequently permits distant attackers to acquire admin entry through HTTPS,” in line with an outline of the vulnerability within the NIST’s Nationwide Vulnerability Database (NVD).
CrushFTP, in an advisory, stated it first detected the zero-day exploitation of the vulnerability within the wild on July 18, 2025, 9 a.m. CST, though it acknowledged that it might have been weaponized a lot earlier.
“The assault vector was HTTP(S) for a way they may exploit the server,” the corporate stated. “We had mounted a special subject associated to AS2 in HTTP(S) not realizing {that a} prior bug may very well be used like this exploit was. Hackers apparently noticed our code change, and found out a strategy to exploit the prior bug.”
CrushFTP is extensively utilized in authorities, healthcare, and enterprise environments to handle delicate file transfers, making administrative entry particularly harmful. A compromised occasion can enable attackers to exfiltrate information, inject backdoors, or pivot into inside techniques that depend on the server for trusted change. With out DMZ isolation, the uncovered occasion turns into a single level of failure.
The corporate stated the unknown risk actors behind the malicious exercise managed to reverse engineer its supply code and found the brand new flaw to focus on gadgets which are but to be up to date to the most recent variations. It is believed that CVE-2025-54309 was current in CrushFTP builds previous to July 1.
CrushFTP has additionally launched the next indicators of compromise (IoCs) –
- Default consumer has admin entry
- Lengthy random consumer IDs created (e.g., 7a0d26089ac528941bf8cb998d97f408m)
- Different new usernames created with admin entry
- The file “MainUsers/default/consumer.xml” was lately modified and has a “last_logins” worth in it
- Buttons from the top consumer net interface disappeared, and customers beforehand recognized as common customers now have an Admin button
Safety groups investigating doable compromise ought to overview consumer.xml modification occasions, correlate admin login occasions with public IPs, and audit permission adjustments on high-value folders. It is also important to search for suspicious patterns in entry logs tied to newly created customers or unexplained admin function escalations, that are typical indicators of post-exploitation habits in real-world breach situations.
As mitigations, the corporate recommends that customers restore a previous default consumer from the backup folder, in addition to overview add/obtain studies for any indicators of suspicious transfers. Different steps embrace –
- Restrict the IP addresses used for administrative actions
- Allowlist IPs that may connect with the CrushFTP server
- Change to DMZ CrushFTP occasion for enterprise use
- Guarantee computerized updates are enabled
At this stage, the precise nature of the assaults exploiting the flaw will not be identified. Earlier this April, one other security defect in the identical answer (CVE-2025-31161, CVSS rating: 9.8) was weaponized to ship the MeshCentral agent and different malware.
Final 12 months, it additionally emerged {that a} second crucial vulnerability impacting CrushFTP (CVE-2024-4040, CVSS rating: 9.8) was leveraged by risk actors to focus on a number of U.S. entities.
With a number of high-severity CVEs exploited over the previous 12 months, CrushFTP has emerged as a recurring goal in superior risk campaigns. Organizations ought to think about this sample as a part of broader risk publicity assessments, alongside patch cadence, third-party file switch dangers, and zero-day detection workflows involving distant entry instruments and credential compromise.
