Hackers Exploit Critical CrushFTP Flaw to Gain Admin Access on Unpatched Servers
A newly disclosed critical security flaw in CrushFTP has come under active exploitation in the wild. Assigned the CVE identifier CVE-2025-54309, the vulnerability carries a CVSS score of 9.0.
“CrushFTP 10 before 10.8.5 and 11 before 11.3.4_23, when the DMZ proxy feature is not used, mishandles AS2 validation and consequently allows remote attackers to obtain admin access via HTTPS,” according to a description of the vulnerability in the NIST’s National Vulnerability Database (NVD).
CrushFTP, in an advisory, said it first detected the zero-day exploitation of the vulnerability in the wild on July 18, 2025, 9 a.m. CST, although it acknowledged that it may have been weaponized much earlier.
“The attack vector was HTTP(S) for how they could exploit the server,” the company said. “We had fixed a different issue related to AS2 in HTTP(S) not realizing that a prior bug could be used like this exploit was. Hackers apparently saw our code change, and figured out a way to exploit the prior bug.”
CrushFTP is widely used in government, healthcare, and enterprise environments to manage sensitive file transfers, making administrative access especially dangerous. A compromised instance can allow attackers to exfiltrate data, inject backdoors, or pivot into internal systems that rely on the server for trusted exchange. Without DMZ isolation, the exposed instance becomes a single point of failure.
The company said the unknown threat actors behind the malicious activity managed to reverse engineer its source code and discovered the new flaw to target devices that are yet to be updated to the latest versions. It’s believed that CVE-2025-54309 was present in CrushFTP builds prior to July 1.
CrushFTP has also released the following indicators of compromise (IoCs) –
- Default user has admin access
- Long random user IDs created (e.g., 7a0d26089ac528941bf8cb998d97f408m)
- Other new usernames created with admin access
- The file “MainUsers/default/user.xml” was recently modified and has a “last_logins” value in it
- Buttons from the end user web interface disappeared, and users previously identified as regular users now have an Admin button
Security teams investigating possible compromise should review user.xml modification times, correlate admin login events with public IPs, and audit permission changes on high-value folders. It’s also essential to look for suspicious patterns in access logs tied to newly created users or unexplained admin role escalations, which are typical signs of post-exploitation behavior in real-world breach scenarios.
As mitigations, the company recommends that users restore a prior default user from the backup folder, as well as review upload/download reports for any signs of suspicious transfers. Other steps include –
- Limit the IP addresses used for administrative actions
- Allowlist IPs that can connect to the CrushFTP server
- Switch to DMZ CrushFTP instance for enterprise use
- Ensure automatic updates are enabled
At this stage, the exact nature of the attacks exploiting the flaw is not known. Earlier this April, another security defect in the same solution (CVE-2025-31161, CVSS score: 9.8) was weaponized to deliver the MeshCentral agent and other malware.
Last year, it also emerged that a second critical vulnerability impacting CrushFTP (CVE-2024-4040, CVSS score: 9.8) was leveraged by threat actors to target multiple U.S. entities.
With multiple high-severity CVEs exploited over the past year, CrushFTP has emerged as a recurring target in advanced threat campaigns. Organizations should consider this pattern as part of broader threat exposure assessments, alongside patch cadence, third-party file transfer risks, and zero-day detection workflows involving remote access tools and credential compromise.
Source link
