CrushFTP over the weekend warned that hackers have been exploiting a zero-day vulnerability in its managed file switch software program to realize administrative entry to weak servers.
Tracked as CVE-2025-54309 (CVSS rating of 9.0), the flaw is described because the mishandling of AS2 validation when the DMZ proxy characteristic just isn’t used, which permits distant attackers to acquire administrative privileges over HTTPS.
In response to CrushFTP, the safety defect exists in builds launched previous to July 1, and was patched in current releases of the software program, albeit the assault vector was not addressed.
“The assault vector was HTTP(S) for the way they may exploit the server. We had mounted a distinct concern associated to AS2 in HTTP(S) not realizing that the prior bug may very well be used like this exploit was,” CrushFTP notes in its advisory.
The agency believes that menace actors probably reverse-engineered its code and found they may exploit the bug in opposition to unpatched situations.
“Hackers apparently noticed our code change, and found out a technique to exploit the prior bug,” CrushFTP says.
In response to the corporate, solely situations that aren’t utilizing a DMZ in entrance of the appliance are prone to exploitation.
CrushFTP says it first noticed in-the-wild assaults on the morning of July 18, however the exploitation may need began earlier. CrushFTP variations 10 previous to 10.8.5 and variations 11 previous to 11.3.4_23 are impacted. Patches had been included in CrushFTP variations 10.8.5_12 and 11.3.4_26.Commercial. Scroll to proceed studying.
Indicators of compromise (IoCs) embrace the presence of ‘last_logins’ entries within the default person’s XML file, a modified timestamp for the file, administrative entry for the default person, the presence of lengthy random userIDs, the existence of recent usernames with admin entry, the disappearance of buttons from the end-user net interface, and an admin button for normal customers.
Moreover, the corporate explains that attackers have been noticed modifying the software program’s model to provide a false sense of safety, encouraging directors to verify the MD5 hashes for potential tampering.
Directors ought to restore a default person from earlier backups, or just delete the default person, albeit that might additionally erase prior customizations to it.
“Overview add/obtain studies for something transferred. Hackers re-used scripts from prior exploits to deploy issues on CrushFTP servers. We advocate restoring the July sixteenth time-period simply to keep away from something that may have been accomplished. Whereas we noticed the main bulk of exploits within the morning of July 18th, the precise exploits might have been occurring a day earlier whereas directors had been asleep,” CrushFTP notes.
Directors are additionally suggested to implement IP limits for administrative accounts, filter IPs allowed to connect with the server, use a DMZ CrushFTP occasion in entrance of the file switch instrument, and allow computerized updates to all the time keep on the most recent software launch.
Associated: Over 1,400 CrushFTP Situations Weak to Exploited Zero-Day
Associated: CrushFTP Patches Exploited Zero-Day Vulnerability
Associated: SharePoint Below Assault: Microsoft Warns of Zero-Day Exploited within the Wild – No Patch Out there
Associated: Grafana Patches Chromium Bugs, Together with Zero-Day Exploited within the Wild
