CrushFTP exposed
Over 1,000 CrushFTP instances currently exposed online face hijack attacks that exploit a critical security bug, which grants admin access to the web interface.
This security vulnerability (CVE-2025-54309) stems from mishandled AS2 validation and affects all CrushFTP versions below 10.8.5 and 11.3.4_23. The vendor acknowledged the flaw as actively exploited in the wild on July 19th, and although attacks may have started earlier, it has not yet found evidence to confirm this.
“July 18th, 9AM CST there is a 0-day exploit seen in the wild. Possibly it has been going on for longer, but we saw it then. Hackers apparently reverse engineered our code and found some bug which we had already fixed,” reads CrushFTP’s advisory.
“They are exploiting it for anyone who has not stayed current on new versions. As always we recommend regularly and frequent patching. Anyone who had kept up to date was spared from this exploit.”
However, CrushFTP clarified last week that servers kept up to date remain protected from attacks. The company also stated that customers who use a demilitarized zone (DMZ) instance to isolate their main server avoid exposure to this vulnerability.
In addition, the company advises administrators to review upload and download logs for unusual activity. It further recommends enabling automatic updates and listing IPs for server and admin access to reduce the risk of exploitation.
Over 1,000 instances exposed
According to scans from the security threat monitoring platform Shadowserver, approximately 1,040 CrushFTP instances still run unpatched versions and remain exposed to CVE-2025-54309.
Shadowserver now informs CrushFTP customers that their servers lack protection against ongoing CVE-2025-54309 exploitation, putting their data at risk of theft.
While the nature of these ongoing attacks remains unclear—whether they involve malware deployment or data theft—cybercriminals have consistently targeted managed file transfer solutions like CrushFTP in recent years.
For example, the Clop cybercrime gang has launched several data theft campaigns exploiting zero-day flaws in Accellion FTA, GoAnywhere MFT, MOVEit Transfer, and more recently, Cleo software.
Additionally, in April 2024, CrushFTP addressed another actively exploited zero-day (CVE-2024-4040) that allowed unauthenticated attackers to escape the user’s virtual file system (VFS) and download system files.
At that time, the cybersecurity company CrowdStrike uncovered evidence suggesting that the attacks—which focused on U.S. organizations using CrushFTP and aimed at intelligence gathering—likely had political motivations.
Source: BleepingComputer, Sergiu Gatlan
Read more at Impreza News