Critical CrushFTP vulnerability exploited. Have you been targeted? (CVE-2025-54309)

Unknown attackers have exploited a vulnerability (CVE-2025‑54309) in the CrushFTP enterprise file-transfer server solution to gain administrative access to vulnerable deployments.

It’s currently unclear what the attackers are using this access for, but data theft looks most likely.

According to the Shadowserver Foundation, there are currently around 1,040 exposed and unpatched CrushFTP instances vulnerable to CVE-2025-54309, predominantly located in the US, Europe, and Canada.

How many have been compromised since the attacks began is difficult to know for sure. Organizations that use CrushFTP and haven’t upgraded their instance(s) lately should check whether they have been breached.

About CVE-2025‑54309

On Friday (July 18), the CrushFTP team warned about attackers using a 0-day exploit, after apparently reverse engineering a recent update and discovering a bug that the maintainers had already fixed.

CVE-2025-54309 stems from CrushFTP mishandling the validation of Applicability Statement 2 (AS2) and allows remote, unauthenticated attackers to obtain admin access to exposed CrushFTP web interfaces via HTTPS.

“We believe this bug was in builds prior to July 1st time period roughly…the latest versions of CrushFTP already have the issue patched,” the maintainers said.

“We had fixed a different issue related to AS2 in HTTP(S) not realizing that prior bug could be used like this exploit was.”

CVE-2025-54309 affects:

• CrushFTP 10 prior to v10.8.5
• CrushFTP 11 prior to v11.3.4_23

What should you do?

Organizations that use CrushFTP and have upgraded to the most recent available version soon after it has been made available have likely not been breached.

According to the maintainers, “enterprise customers with a DMZ CrushFTP in front of their main [instance]” have also not been affected by the exploit, though Rapid7 researchers say customers shouldn’t count on a demilitarized zone (DMZ) as a mitigation strategy.

CrushFTP developers have outlined indicators of compromise enterprises should look for when checking whether their instance(s) have been successfully targeted, advice on what to do if they find out they’ve been affected, and advice on how to minimize the risk of their instances getting compromised in the future.

Since April 2024, attackers have exploited two vulnerabilities in CrushFTP (CVE-2024-4040 and CVE-2025-2825), as well as zero and n-day vulnerabilities in other popular file transfer solutions used by businesses.

Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!