The popular file transfer company CrushFTP said it has discovered a previously unknown vulnerability being exploited by hackers. A critical zero-day exploit, identified as CVE-2025-54309, was observed actively being used in the wild. While the full timeline of the exploitation isn’t definitively known, this particular date marked the widespread detection of attacks. Threat actors appear to have reverse-engineered a prior code fix implemented by CrushFTP, identifying a related vulnerability that was inadvertently left exposed in older versions. This oversight allowed them to craft an exploit targeting unpatched systems, specifically leveraging the HTTP(S) protocol as the attack vector.
The vulnerability primarily affects CrushFTP builds released before July 1st, 2025. This means that users who have diligently kept their CrushFTP installations up to date with the latest versions are likely unaffected by this specific exploit. Curiously, the initial fix, which was intended to address a separate issue related to AS2 over HTTP(S), appears to have inadvertently provided a blueprint for attackers to exploit an underlying bug. This incident highlights the sophisticated tactics employed by cyber adversaries, who frequently analyze software patches to uncover related or re-emergent vulnerabilities that can then be weaponized against unpatched systems.
For organizations or individuals who suspect their CrushFTP server may have been compromised, immediate action is crucial.
The primary recommendation is to restore a default user from a backup folder created before the exploit, ideally from around July 16th, 2025, to minimize the risk of lingering malicious configurations. It’s important to note that these backup zip files often require specialized tools like 7-Zip or WinRAR for extraction. Additionally, administrators should thoroughly review upload and download reports for any unauthorized data transfers, as attackers have reportedly reused scripts from previous exploits to deploy malicious payloads on compromised servers.
To bolster future security posture and prevent similar incidents, several mitigation strategies are highly recommended. These include strictly limiting and whitelisting IP addresses permitted for administrative access, thereby significantly reducing the attack surface. Enterprise users are strongly advised to deploy a DMZ (Demilitarized Zone) CrushFTP instance in front of their main server, adding an extra layer of security. Furthermore, enabling automatic and frequent updates within CrushFTP preferences is paramount, ensuring that systems receive critical patches as soon as they become available. Signing up for emergency notifications from CrushFTP is also a proactive step to stay informed about new threats.
Identifying a compromise can be subtle, but there are several key indicators. Suspicious entries such as “last_logins” in the MainUsers/default/user.XML file, a recently modified date on the default user’s XML, or the default user inexplicably having admin access are strong signs of a breach. The presence of long, random user IDs, other newly created admin accounts, or unexpected changes to the end-user WebInterface—such as missing buttons or a regular user gaining admin privileges—also point to a compromise. It’s also worth noting that attackers may attempt to display a fake version number to deceive administrators; users should always use CrushFTP’s “validate hashes” function on the about tab to verify file integrity and detect any unauthorized code installations.
Reference:
