CrushFTP is warning that risk actors are actively exploiting a zero-day vulnerability tracked as CVE-2025-54309, which permits attackers to realize administrative entry through the net interface on susceptible servers.
CrushFTP is an enterprise file switch server utilized by organizations to securely share and handle recordsdata over FTP, SFTP, HTTP/S, and different protocols.
In accordance with CrushFTP, risk actors had been first detected exploiting the vulnerability on July 18th at 9AM CST, although it could have begun within the early hours of the day prior to this.
CrushFTP CEO Ben Spink instructed BleepingComputer that that they had beforehand fastened a vulnerability associated to AS2 in HTTP(S) that inadvertantly blocked this zero-day flaw as nicely.
“A previous repair by likelihood occurred to dam this vulnerability too, however the prior repair was concentrating on a distinct concern and turning off some hardly ever used function by default,” Spink instructed BleepingComputer.
CrushFTP says it believes risk actors reverse engineered their software program and found this new bug and had begun exploiting it on gadgets that aren’t up-to-date on their patches.
“We consider this bug was in builds previous to July 1st time interval roughly…the most recent variations of CrushFTP have already got the problem patched,” reads CrushFTP’s advisory.
“The assault vector was HTTP(S) for the way they might exploit the server. We had fastened a distinct concern associated to AS2 in HTTP(S) not realizing that prior bug might be used like this exploit was. Hackers apparently noticed our code change, and discovered a method to exploit the prior bug.
“As all the time we advocate usually and frequent patching. Anybody who had stored updated was spared from this exploit.”
The assault happens through the software program’s internet interface in variations previous to CrushFTP v10.8.5 and CrushFTP v11.3.4_23. It’s unclear when these variations had been launched, however CrushFTP says round July 1st.
CrushFTP stresses that programs which were stored updated aren’t susceptible.
Enterprise clients utilizing a DMZ CrushFTP occasion to isolate their primary server aren’t believed to be affected by this vulnerability.
Directors who consider their programs had been compromised are suggested to revive the default consumer configuration from a backup dated earlier than July sixteenth. Indicators of compromise embody:
- Surprising entries in MainUsers/default/consumer.XML, particularly current modifications or a
last_loginssubject - New, unrecognized admin-level usernames equivalent to 7a0d26089ac528941bf8cb998d97f408m.
Spink says that they’re mostly seeing the default consumer modified as the primary IOC.
“On the whole we now have seen the default consumer modified as the primary IOC. On the whole, modified in very invalid ways in which had been nonetheless useable for the attacker however nobody else,” Spink instructed BleepingComputer.
CrushFTP recommends reviewing the add and obtain logs for uncommon exercise and taking the next steps to mitigate exploitation:
- IP whitelisting for server and admin entry
- Use of a DMZ occasion
- Enabling automated updates
Nonetheless, cybersecurity agency Rapid7 says utilizing a DMZ is probably not a dependable technique to stop exploitation.
“Out of an abundance of warning, Rapid7 advises towards counting on a demilitarized zone (DMZ) as a mitigation technique,” warned Rapid7.
Presently, it’s unclear if the assaults had been used for information theft or to deploy malware. Nonetheless, managed file switch options have develop into high-value targets for information theft campaigns lately.
Prior to now, ransomware gangs, normally Clop, have repeatedly exploited zero-day vulnerabilities in comparable platforms, together with Cleo, MOVEit Switch, GoAnywhere MFT, and Accellion FTA, to conduct mass information theft and extortion assaults.
CISOs know that getting board buy-in begins with a transparent, strategic view of how cloud safety drives enterprise worth.
This free, editable board report deck helps safety leaders current danger, impression, and priorities in clear enterprise phrases. Flip safety updates into significant conversations and sooner decision-making within the boardroom.
