Jul 20, 2025Ravie LakshmananVulnerability / Menace Intelligence
A newly disclosed important safety flaw in CrushFTP has come beneath lively exploitation within the wild. Assigned the CVE identifier CVE-2025-54309, the vulnerability carries a CVSS rating of 9.0.
“CrushFTP 10 earlier than 10.8.5 and 11 earlier than 11.3.4_23, when the DMZ proxy characteristic will not be used, mishandles AS2 validation and consequently permits distant attackers to acquire admin entry by way of HTTPS,” in line with an outline of the vulnerability within the NIST’s Nationwide Vulnerability Database (NVD).
CrushFTP, in an advisory, mentioned it first detected the zero-day exploitation of the vulnerability within the wild on July 18, 2025, 9 a.m. CST, though it acknowledged that it might have been weaponized a lot earlier.
“The assault vector was HTTP(S) for the way they may exploit the server,” the corporate mentioned. “We had fastened a distinct challenge associated to AS2 in HTTP(S) not realizing {that a} prior bug might be used like this exploit was. Hackers apparently noticed our code change, and found out a method to exploit the prior bug.”
CrushFTP is broadly utilized in authorities, healthcare, and enterprise environments to handle delicate file transfers, making administrative entry particularly harmful. A compromised occasion can permit attackers to exfiltrate knowledge, inject backdoors, or pivot into inside programs that depend on the server for trusted alternate. With out DMZ isolation, the uncovered occasion turns into a single level of failure.
The corporate mentioned the unknown menace actors behind the malicious exercise managed to reverse engineer its supply code and found the brand new flaw to focus on gadgets which can be but to be up to date to the newest variations. It is believed that CVE-2025-54309 was current in CrushFTP builds previous to July 1.
CrushFTP has additionally launched the next indicators of compromise (IoCs) –
Default consumer has admin entry
Lengthy random consumer IDs created (e.g., 7a0d26089ac528941bf8cb998d97f408m)
Different new usernames created with admin entry
The file “MainUsers/default/consumer.xml” was just lately modified and has a “last_logins” worth in it
Buttons from the top consumer internet interface disappeared, and customers beforehand recognized as common customers now have an Admin button
Safety groups investigating attainable compromise ought to evaluate consumer.xml modification occasions, correlate admin login occasions with public IPs, and audit permission adjustments on high-value folders. It is also important to search for suspicious patterns in entry logs tied to newly created customers or unexplained admin position escalations, that are typical indicators of post-exploitation conduct in real-world breach situations.
As mitigations, the corporate recommends that customers restore a previous default consumer from the backup folder, in addition to evaluate add/obtain stories for any indicators of suspicious transfers. Different steps embrace –
Restrict the IP addresses used for administrative actions
Allowlist IPs that may hook up with the CrushFTP server
Change to DMZ CrushFTP occasion for enterprise use
Guarantee computerized updates are enabled
At this stage, the precise nature of the assaults exploiting the flaw will not be recognized. Earlier this April, one other safety defect in the identical resolution (CVE-2025-31161, CVSS rating: 9.8) was weaponized to ship the MeshCentral agent and different malware.
Final yr, it additionally emerged {that a} second important vulnerability impacting CrushFTP (CVE-2024-4040, CVSS rating: 9.8) was leveraged by menace actors to focus on a number of U.S. entities.
With a number of high-severity CVEs exploited over the previous yr, CrushFTP has emerged as a recurring goal in superior menace campaigns. Organizations ought to contemplate this sample as a part of broader menace publicity assessments, alongside patch cadence, third-party file switch dangers, and zero-day detection workflows involving distant entry instruments and credential compromise.
