New CrushFTP 0-Day Vulnerability Exploited in the Wild to Gain Access to Servers
A critical zero-day flaw in the CrushFTP managed file-transfer platform was confirmed after vendor and threat-intelligence sources confirmed active exploitation beginning on 18 July 2025 at 09:00 CST.
Tracked as CVE-2025-54309, the bug allows unauthenticated attackers to obtain full administrative control of vulnerable servers over HTTPS.
CrushFTP says the issue was inadvertently resolved in builds released around 1 July, but thousands of organisations that delayed updating are now potential targets.
CrushFTP 0-Day Vulnerability Exploited
CrushFTP engineers linked the breach to incomplete validation logic added while fixing an unrelated AS2 bug earlier this summer. After reviewing the July code-diff, attackers reverse-engineered the change and discovered a way to route malicious HTTP(S) requests around the intended controls.
When the DMZ proxy feature is not deployed, the exploit grants the intruder administrator privileges, effectively a “God-mode” session from which they can create new users, siphon data, or move laterally inside corporate networks.
Rapid7 and Tenable rate the flaw 9.0+ on the CVSS v3.1 scale due to its network vector, zero-click nature, and potential for complete host compromise.
Shadowserver honeypots began recording exploitation attempts within hours of the CrushFTP disclosure, echoing previous mass-scanning waves that followed the 2025 springtime CVE-2025-31161 authentication bypass.
Impacted Versions
| Product branch | Safe build or newer | Status before patch | Notes |
|---|---|---|---|
| CrushFTP 11 | 11.3.4_23 | < 11.3.4_23 | 11.3.4_26 is current “fast-fix” roll-up |
| CrushFTP 10 | 10.8.5 | < 10.8.5 | 10.8.5_12 released 18 July |
Installations fronted by a properly configured CrushFTP DMZ instance are believed to block the exploit path, but Rapid7 cautions against relying solely on that architecture as a long-term defence.
Indicators of Compromise
Administrators should immediately inspect:
users/MainUsers/default/user.XML– presence of unexpected- New high-entropy usernames (e.g.,
7a0d26089ac528941bf8cb998d97f408m) withadminprivileges. - Missing UI elements in the end-user portal or sudden appearance of an “Admin” button on ordinary accounts.
- Unusual outbound traffic patterns indicating data staging.
Logs indicate that attackers are recycling scripts from earlier CrushFTP campaigns, targeting rapid user creation followed by bulk file downloads or remote shell drops.
- Patch now – upgrade to 11.3.4_23 / 10.8.5 or later; enable automatic updates for future releases.
- Restore defaults – if compromise is suspected, revert
defaultuser from a backup dated before 16 July and purge rogue accounts. - Audit transfers – review upload/download reports between 16–18 July for suspicious activity.
- Harden access – restrict admin and WebInterface IP ranges, enforce MFA and HTTPS-only, and deploy a DMZ proxy where feasible.
- Monitor – subscribe to vendor and CERT advisories; leverage IDS signatures released by Rapid7 and Tenable for CVE-2025-54309 traffic.
CVE-2025-54309 is CrushFTP’s third high-impact zero-day in 15 months, following the VFS sandbox escape (CVE-2024-4040) and the AWS4-HMAC race-condition bypass (CVE-2025-31161).
The parade of flaws echoes past supply-chain breaches involving MOVEit, GoAnywhere MFT, and Accellion FTA, underscoring the strategic value of file-transfer services to ransomware groups and espionage actors.
Shodan indices reveal more than 5,000 CrushFTP instances online; earlier 2024 data showed at least 1,400 remained unpatched weeks after a critical advisory.
With public proof-of-concept exploits likely to surface, analysts warn that opportunistic mass exploitation could spike in the coming days.
CrushFTP’s quick release of build 11.3.4_26 mitigates the immediate threat, but enterprises that treat file-transfer appliances as “set-and-forget” utilities remain vulnerable. Patch management, network segmentation, and vigilant log review are once again the top priorities.
For organisations yet to upgrade, the safest assumption is breach restore from backups, rotate credentials, and prepare for potential incident-response investigations.
Boost detection, reduce alert fatigue, accelerate response; all with an interactive sandbox built for security teams -> Try ANY.RUN Now
Source link
