Impreza Portal
Sign InMy ServicesMy DomainsMy InvoicesMy Tickets
News
Celebrative Logos
Our Platform
Carbon Removal Commitment
Tutorials
Video TutorialsKnowledge Base
More
UptimeNetwork StatusAffiliatesJobsAbout us
Contact
Submit Ticket (Less than 1hour to answer)Whatsapp (Less than 24hours to answer)Telegram (Less than 24hours to answer)Report Abuse
HOMEDOMAINS
CONTACT
Login
Sign InCreate an Account
No Comments

Over 1,000 CrushFTP Servers Vulnerable to Critical Hijack Flaw

 

CrushFTP exposed

Over 1,000 CrushFTP instances currently exposed online face hijack attacks that exploit a critical security bug, which grants admin access to the web interface.

This security vulnerability (CVE-2025-54309) stems from mishandled AS2 validation and affects all CrushFTP versions below 10.8.5 and 11.3.4_23. The vendor acknowledged the flaw as actively exploited in the wild on July 19th, and although attacks may have started earlier, it has not yet found evidence to confirm this.

“July 18th, 9AM CST there is a 0-day exploit seen in the wild. Possibly it has been going on for longer, but we saw it then. Hackers apparently reverse engineered our code and found some bug which we had already fixed,” reads CrushFTP’s advisory.

“They are exploiting it for anyone who has not stayed current on new versions. As always we recommend regularly and frequent patching. Anyone who had kept up to date was spared from this exploit.”

However, CrushFTP clarified last week that servers kept up to date remain protected from attacks. The company also stated that customers who use a demilitarized zone (DMZ) instance to isolate their main server avoid exposure to this vulnerability.

In addition, the company advises administrators to review upload and download logs for unusual activity. It further recommends enabling automatic updates and listing IPs for server and admin access to reduce the risk of exploitation.

Over 1,000 instances exposed

According to scans from the security threat monitoring platform Shadowserver, approximately 1,040 CrushFTP instances still run unpatched versions and remain exposed to CVE-2025-54309.

Shadowserver now informs CrushFTP customers that their servers lack protection against ongoing CVE-2025-54309 exploitation, putting their data at risk of theft.

While the nature of these ongoing attacks remains unclear—whether they involve malware deployment or data theft—cybercriminals have consistently targeted managed file transfer solutions like CrushFTP in recent years.

For example, the Clop cybercrime gang has launched several data theft campaigns exploiting zero-day flaws in Accellion FTA, GoAnywhere MFT, MOVEit Transfer, and more recently, Cleo software.

Additionally, in April 2024, CrushFTP addressed another actively exploited zero-day (CVE-2024-4040) that allowed unauthenticated attackers to escape the user’s virtual file system (VFS) and download system files.

At that time, the cybersecurity company CrowdStrike uncovered evidence suggesting that the attacks—which focused on U.S. organizations using CrushFTP and aimed at intelligence gathering—likely had political motivations.

 

Source: BleepingComputer,

Read more at Impreza News

You might also like
CyberSecurity, Data Breach, News, Vulnerability
CyberSecurity, Data Breach, News, Vulnerability

More Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *

Fill out this field
Fill out this field
Please enter a valid email address.