CrushFTP 0-Day Vulnerability Actively Exploited to Breach Servers

A critical zero-day vulnerability in CrushFTP servers is being actively exploited by threat actors to compromise systems worldwide.

The vulnerability, designated CVE-2025-54309, was first observed in active exploitation on July 18th at 9:00 AM CST, though security researchers believe the attacks may have been ongoing for longer periods before detection.

Vulnerability Details and Attack Vector

The security flaw represents a sophisticated case of reverse engineering, where attackers analyzed CrushFTP’s codebase to identify and exploit a previously patched vulnerability that remained present in outdated installations.

The attack vector utilizes HTTP and HTTPS protocols to compromise vulnerable servers, making it particularly dangerous for internet-facing installations.

According to CrushFTP’s security advisory, the vulnerability stems from a bug that developers had already addressed in recent versions, but attackers discovered how to exploit the same underlying issue that affected older builds.

The company noted that hackers reverse-engineered their code changes and identified a method to exploit the pre-existing vulnerability in systems that had not been updated.

This highlights the critical importance of maintaining current software versions, as organizations running up-to-date CrushFTP installations were protected from this exploitation attempt.

Affected Systems and Versions

The vulnerability impacts a significant range of CrushFTP installations across two major version branches. All CrushFTP version 10 installations below 10.8.5 are susceptible to this exploit, as are all version 11 installations below 11.3.4_23.

The vulnerability appears to have been present in builds created prior to July 1st, making any installation from that timeframe potentially vulnerable to attack.

Enterprise customers utilizing a DMZ CrushFTP configuration positioned in front of their main servers remain unaffected by this particular vulnerability, demonstrating the security benefits of proper network segmentation and layered defense strategies.

Organizations can identify potential compromise through several key indicators. Affected systems typically show unauthorized modifications to the MainUsers/default/user.XML file, including the presence of “last_logins” entries and recent modification timestamps.

Additional signs include the default user gaining administrative access, creation of long random user IDs, and disappearance of buttons from the end-user web interface.

Threat actors have employed sophisticated evasion techniques, including manipulating version displays to show false version numbers, creating a deceptive sense of security for administrators.CrushFTP recommends using their validation hash function to detect unauthorized code modifications.

Organizations should immediately update to the latest CrushFTP versions and implement recommended security measures including IP whitelisting and regular backup restoration procedures.

Get Free Ultimate SOC Requirements Checklist Before you build, buy, or switch your SOC for 2025 - Download Now