CrushFTP is warning that risk actors are actively exploiting a zero-day vulnerability tracked as CVE-2025-54309, which permits attackers to realize administrative entry through the net interface on weak servers.
CrushFTP is an enterprise file switch server utilized by organizations to securely share and handle information over FTP, SFTP, HTTP/S, and different protocols.
In response to CrushFTP, risk actors have been first detected exploiting the vulnerability on July 18th at 9AM CST, although it might have begun within the early hours of yesterday.
CrushFTP CEO Ben Spink instructed BleepingComputer that they’d beforehand mounted a vulnerability associated to AS2 in HTTP(S) that inadvertantly blocked this zero-day flaw as properly.
“A previous repair by likelihood occurred to dam this vulnerability too, however the prior repair was concentrating on a unique situation and turning off some hardly ever used function by default,” Spink instructed BleepingComputer.
CrushFTP says it believes risk actors reverse engineered their software program and found this new bug and had begun exploiting it on units that aren’t up-to-date on their patches.
“We imagine this bug was in builds previous to July 1st time interval roughly…the newest variations of CrushFTP have already got the problem patched,” reads CrushFTP’s advisory.
“The assault vector was HTTP(S) for the way they may exploit the server. We had mounted a unique situation associated to AS2 in HTTP(S) not realizing that prior bug could possibly be used like this exploit was. Hackers apparently noticed our code change, and found out a approach to exploit the prior bug.
“As all the time we suggest repeatedly and frequent patching. Anybody who had saved updated was spared from this exploit.”
The assault happens through the software program’s internet interface in variations previous to CrushFTP v10.8.5 and CrushFTP v11.3.4_23. It’s unclear when these variations have been launched, however CrushFTP says round July 1st.
CrushFTP stresses that techniques which were saved updated are usually not weak.
Enterprise prospects utilizing a DMZ CrushFTP occasion to isolate their principal server are usually not believed to be affected by this vulnerability.
Directors who imagine their techniques have been compromised are suggested to revive the default consumer configuration from a backup dated earlier than July sixteenth. Indicators of compromise embrace:
- Sudden entries in MainUsers/default/consumer.XML, particularly latest modifications or a
last_loginsarea - New, unrecognized admin-level usernames resembling 7a0d26089ac528941bf8cb998d97f408m.
Spink says that they’re mostly seeing the default consumer modified as the primary IOC.
“Typically now we have seen the default consumer modified as the primary IOC. Typically, modified in very invalid ways in which have been nonetheless useable for the attacker however nobody else,” Spink instructed BleepingComputer.
CrushFTP recommends reviewing the add and obtain logs for uncommon exercise and taking the next steps to mitigate exploitation:
- IP whitelisting for server and admin entry
- Use of a DMZ occasion
- Enabling computerized updates
Nonetheless, cybersecurity agency Rapid7 says utilizing a DMZ might not be a dependable technique to forestall exploitation.
“Out of an abundance of warning, Rapid7 advises in opposition to counting on a demilitarized zone (DMZ) as a mitigation technique,” warned Rapid7.
Presently, it’s unclear if the assaults have been used for knowledge theft or to deploy malware. Nonetheless, managed file switch options have turn out to be high-value targets for knowledge theft campaigns lately.
Up to now, ransomware gangs, often Clop, have repeatedly exploited zero-day vulnerabilities in comparable platforms, together with Cleo, MOVEit Switch, GoAnywhere MFT, and Accellion FTA, to conduct mass knowledge theft and extortion assaults.
CISOs know that getting board buy-in begins with a transparent, strategic view of how cloud safety drives enterprise worth.
This free, editable board report deck helps safety leaders current threat, affect, and priorities in clear enterprise phrases. Flip safety updates into significant conversations and sooner decision-making within the boardroom.
