Crushftp’s newly disclosed critical security flaws are subject to aggressive exploitation in the wild. CVE identifier CVE-2025-54309 is assigned, and the vulnerability has a CVSS score of 9.0.
“If the DMZ proxy feature is not used, 10.8.5 and 11.3.4_23 and 10.8.5 and 11 before 11.8.5 and 11 before 11.3.4_23 and 11 before 11.3.4_23 would misunderstand AS2 verification, which will allow remote attackers to gain administrator access via HTTP,” according to NIST’s National Ulnerability Database (NVD) vulnerability description.
crushftp said in its recommendation it first detected zero-day exploitation of wild vulnerability at 9am on July 18, 2025, but admitted that it could have been weaponized much earlier.
“The attack vector was HTTP about how we could leverage our servers,” the company said. “We fixed another issue related to AS2 in HTTP (S) (S) didn’t realize that previous bugs could be used like this exploit. The hackers obviously saw the code changes and found a way to exploit the previous bug.”
CrushFTP is widely used in government, healthcare and corporate environments to manage sensitive file transfers. A compromised instance allows an attacker to remove data, inject backdoors, or pivot into an internal system that relies on the server for a reliable exchange. Without DMZ isolation, the exposed instance becomes a single point of failure.
The company said an unknown threat actor behind the malicious activity managed to reverse engineer the source code and discovered a new flaw in the target device that has not yet been updated to the latest version. CVE-2025-54309 is believed to have existed in the crushFTP build prior to July 1st.
CrushFTP has also released the Next Indicator for Compromise (IOCS) –
The default user has accessed a long random user IDS created by an administrator (for example, 7A0D26089AC528941BF8CB998D97F408M).
Security teams investigating potential compromises should check user.xml changes time, correlate admin login events with public IP, and check for changes to audit permissions on high-value folders. Look for suspicious patterns in the access logs related to newly created user or unexplained administrator role escalation. Typical indications of post-extracted behavior in real-world violation scenarios.
As a mitigation, the company recommends that users restore previous default users from the backup folder and review the upload/download of reports for suspicious transfer signs. Other steps –
Restrict IP addresses used for management actions AllowList IPS IPS IPS IPS CrushFTP Server switch to connect to the DMZ CrushFTP instance to ensure automatic updates are enabled
At this stage, the exact nature of the attack that exploits the flaws is unknown. At the beginning of April this year, another security flaw in the same solution (CVE-2025-31161, CVSS score: 9.8) was weaponized to provide Mesh Central Agents and other malware.
It was also revealed last year that the second important vulnerability affecting CrushFTP (CVE-2024-4040, CVSS score: 9.8) was exploited by threat actors by targeting multiple US entities.
With multiple high-intensity CVEs being exploited over the past year, CrushFTP has emerged as a recurring target in advanced threat campaigns. Organizations should view this pattern as part of a broader threat exposure assessment, along with zero-day detection workflows that include patch rhythms, third-party file transfer risks, and remote access tools and credential compromises.
Source link
