A newly disclosed crucial safety flaw in CrushFTP has come below energetic exploitation within the wild. Assigned the CVE identifier CVE-2025-54309, the vulnerability carries a CVSS rating of 9.0.
“CrushFTP 10 earlier than 10.8.5 and 11 earlier than 11.3.4_23, when the DMZ proxy function is just not used, mishandles AS2 validation and consequently permits distant attackers to acquire admin entry through HTTPS,” in accordance with a description of the vulnerability within the NIST’s Nationwide Vulnerability Database (NVD).
CrushFTP, in an advisory, mentioned it first detected the zero-day exploitation of the vulnerability within the wild on July 18, 2025, 9 a.m. CST, though it acknowledged that it could have been weaponized a lot earlier.
“The assault vector was HTTP(S) for the way they might exploit the server,” the corporate mentioned. “We had mounted a unique problem associated to AS2 in HTTP(S) not realizing {that a} prior bug might be used like this exploit was. Hackers apparently noticed our code change, and found out a method to exploit the prior bug.”
CrushFTP is extensively utilized in authorities, healthcare, and enterprise environments to handle delicate file transfers, making administrative entry particularly harmful. A compromised occasion can enable attackers to exfiltrate information, inject backdoors, or pivot into inside methods that depend on the server for trusted change. With out DMZ isolation, the uncovered occasion turns into a single level of failure.
The corporate mentioned the unknown menace actors behind the malicious exercise managed to reverse engineer its supply code and found the brand new flaw to focus on units which might be but to be up to date to the newest variations. It is believed that CVE-2025-54309 was current in CrushFTP builds previous to July 1.
CrushFTP has additionally launched the next indicators of compromise (IoCs) –
- Default consumer has admin entry
- Lengthy random consumer IDs created (e.g., 7a0d26089ac528941bf8cb998d97f408m)
- Different new usernames created with admin entry
- The file “MainUsers/default/consumer.xml” was just lately modified and has a “last_logins” worth in it
- Buttons from the top consumer internet interface disappeared, and customers beforehand recognized as common customers now have an Admin button
Safety groups investigating doable compromise ought to assessment consumer.xml modification occasions, correlate admin login occasions with public IPs, and audit permission adjustments on high-value folders. It is also important to search for suspicious patterns in entry logs tied to newly created customers or unexplained admin position escalations, that are typical indicators of post-exploitation conduct in real-world breach eventualities.
As mitigations, the corporate recommends that customers restore a previous default consumer from the backup folder, in addition to assessment add/obtain stories for any indicators of suspicious transfers. Different steps embrace –
- Restrict the IP addresses used for administrative actions
- Allowlist IPs that may connect with the CrushFTP server
- Swap to DMZ CrushFTP occasion for enterprise use
- Guarantee computerized updates are enabled
At this stage, the precise nature of the assaults exploiting the flaw is just not identified. Earlier this April, one other safety defect in the identical answer (CVE-2025-31161, CVSS rating: 9.8) was weaponized to ship the MeshCentral agent and different malware.
Final yr, it additionally emerged {that a} second crucial vulnerability impacting CrushFTP (CVE-2024-4040, CVSS rating: 9.8) was leveraged by menace actors to focus on a number of U.S. entities.
With a number of high-severity CVEs exploited over the previous yr, CrushFTP has emerged as a recurring goal in superior menace campaigns. Organizations ought to think about this sample as a part of broader menace publicity assessments, alongside patch cadence, third-party file switch dangers, and zero-day detection workflows involving distant entry instruments and credential compromise.
