Critical vulnerability in CrushFTP actively exploited to hijack servers
Take action: If you use CrushFTP file transfer servers, IMMEDIATELY upgrade to latest versions. Attackers are actively exploiting all unpatched CrushFTP servers. And by the very nature of the server you can't hide it from the internet. Check your logs for suspicious admin accounts or unexpected file transfers between July 16-18, 2025, and restore user configs from backups if you find anything suspicious.
Learn More
CrushFTP is reporting that threat actors are actively exploiting a critical zero-day vulnerability in their product which allows unauthenticated attackers to gain full administrative access to vulnerable servers through the web interface.
CrushFTP is an enterprise file transfer server widely used by organizations to securely share and manage files over multiple protocols including FTP, SFTP, HTTP/S, and WebDAV.
The flaw is tracked as CVE-2025-54309 (CVSS score 9.0+) and is an unprotected alternate channel flaw caused by errors validation logic in Applicability Statement 2 (AS2) protocol. The vulnerability was discovered and exploited by attackers who reverse-engineered CrushFTP's code changes after the company had fixed an unrelated AS2 HTTP(S) issue in early July 2025.
Threat actors were first detected exploiting the vulnerability on July 18, 202, but CrushFTP warns that exploitation may have begun earlier, possibly in the early hours of the previous day.
CrushFTP CEO Ben Spink explained that the company had previously addressed a different vulnerability related to AS2 in HTTP(S) that inadvertently blocked this zero-day flaw as well. Hackers analyzed the code changes and discovered a way to exploit the underlying vulnerability that remained in older versions. The attack vector utilizes HTTP(S) connections to the server's web interface, allowing attackers to bypass authentication controls and gain administrator privileges.
CrushFTP emphasizes that systems kept up to date with the latest versions are not vulnerable to this exploit.
Affected Versions
- All CrushFTP version 10 below 10.8.5
- All CrushFTP version 11 below 11.3.4_23
The vulnerability has resulted in confirmed real-world breaches, with at least one German customer's CrushFTP server successfully compromised on the morning of July 18, 2025. Security researchers using Shadowserver honeypots began recording exploitation attempts within hours of the CrushFTP disclosure, indicating widespread scanning and attack attempts across the internet.
Organizations should immediately inspect their CrushFTP installations for the following signs of compromise:
- Presence of unexpected "last_logins" entries in users/MainUsers/default/user.XML file
- Recent modifications to the default user.XML file
- New high-entropy usernames with administrative privileges (example: 7a0d26089ac528941bf8cb998d97f408m)
- Missing UI elements in the end-user portal or sudden appearance of "Admin" buttons on ordinary user accounts
- Unusual outbound traffic patterns indicating data staging or exfiltration
- Unexpected entries in upload and download logs
Organizations should upgrade to the latest patched versions (CrushFTP 10.8.5+ or 11.3.4_23+) immediately and enable automatic updates for future releases.
If compromise is suspected, administrators should restore the default user configuration from a backup dated before July 16, 2025, and purge any rogue accounts. All upload and download activity between July 16-18, 2025, should be audited for suspicious transfers.
Update - as of 30th of July 2025, researchers have published a complete proof-of-concept exploit
