CrushFTP is warning that threat actors are actively exploiting a zero-day vulnerability tracked as CVE-2025-54309, which allows attackers to gain administrative access via the web interface on vulnerable servers.
CrushFTP is an enterprise file transfer server used by organizations to securely share and manage files over FTP, SFTP, HTTP/S, and other protocols.
According to CrushFTP, threat actors were first detected exploiting the vulnerability on July 18th at 9AM CST, though it may have begun in the early hours of the previous day.
CrushFTP CEO Ben Spink told BleepingComputer that they had previously fixed a vulnerability related to AS2 in HTTP(S) that inadvertantly blocked this zero-day flaw as well.
“A prior fix by chance happened to block this vulnerability too, but the prior fix was targeting a different issue and turning off some rarely used feature by default,” Spink told BleepingComputer.
CrushFTP says it believes threat actors reverse engineered their software and discovered this new bug and had begun exploiting it on devices that are not up-to-date on their patches.
“We believe this bug was in builds prior to July 1st time period roughly…the latest versions of CrushFTP already have the issue patched,” reads CrushFTP’s advisory.
“The attack vector was HTTP(S) for how they could exploit the server. We had fixed a different issue related to AS2 in HTTP(S) not realizing that prior bug could be used like this exploit was. Hackers apparently saw our code change, and figured out a way to exploit the prior bug.
“As always we recommend regularly and frequent patching. Anyone who had kept up to date was spared from this exploit.”
The attack occurs via the software’s web interface in versions prior to CrushFTP v10.8.5 and CrushFTP v11.3.4_23. It is unclear when these versions were released, but CrushFTP says around July 1st.
CrushFTP stresses that systems that have been kept up to date are not vulnerable.
Enterprise customers using a DMZ CrushFTP instance to isolate their main server are not believed to be affected by this vulnerability.
Administrators who believe their systems were compromised are advised to restore the default user configuration from a backup dated before July 16th. Indicators of compromise include:
- Unexpected entries in MainUsers/default/user.XML, especially recent modifications or a
last_loginsfield - New, unrecognized admin-level usernames such as 7a0d26089ac528941bf8cb998d97f408m.
Spink says that they are most commonly seeing the default user modified as the main IOC.
“In general we have seen the default user modified as the main IOC. In general, modified in very invalid ways that were still useable for the attacker but no one else,” Spink told BleepingComputer.
CrushFTP recommends reviewing the upload and download logs for unusual activity and taking the following steps to mitigate exploitation:
- IP whitelisting for server and admin access
- Use of a DMZ instance
- Enabling automatic updates
However, cybersecurity firm Rapid7 says using a DMZ may not be a reliable strategy to prevent exploitation.
“Out of an abundance of caution, Rapid7 advises against relying on a demilitarized zone (DMZ) as a mitigation strategy,” warned Rapid7.
At this time, it is unclear if the attacks were used for data theft or to deploy malware. However, managed file transfer solutions have become high-value targets for data theft campaigns in recent years.
In the past, ransomware gangs, usually Clop, have repeatedly exploited zero-day vulnerabilities in similar platforms, including Cleo, MOVEit Transfer, GoAnywhere MFT, and Accellion FTA, to conduct mass data theft and extortion attacks.
Contain emerging threats in real time – before they impact your business.
Learn how cloud detection and response (CDR) gives security teams the edge they need in this practical, no-nonsense guide.
