Ethical Hacking News
CrushFTP Zero-Day Exploited in Coordinated Attack Campaigns to Gain Admin Access on Servers
A recent vulnerability in CrushFTP has been exploited by threat actors in coordinated attack campaigns, allowing them to gain administrative access to vulnerable servers. This alert highlights the importance of regular patching and cybersecurity best practices to prevent similar incidents.
The widely used enterprise file transfer server CrushFTP has been exploited by threat actors using a zero-day vulnerability. The vulnerability, CVE-2025-54309, allows attackers to gain administrative access without authentication or authorization. A prior fix for another issue inadvertently blocked the new zero-day flaw, but was later patched by CrushFTP. Threat actors used HTTP(S) to exploit the server's web interface and modify default user configuration. CrushFTP recommends IP whitelisting, DMZ instance use, and automatic updates to mitigate risk. Cybersecurity firm Rapid7 cautions against relying solely on a DMZ as a mitigation strategy. Regular patching and cybersecurity best practices are crucial for protecting systems and data from zero-day vulnerabilities.
CrushFTP, a widely used enterprise file transfer server, has recently fallen victim to a zero-day vulnerability that has been exploited by threat actors in coordinated attack campaigns. The incident, which was first reported on July 18th, 2025, at approximately 9:00 AM CST, has left many organizations scrambling to patch their systems and prevent potential data breaches.
According to CrushFTP CEO Ben Spink, the threat actors were able to exploit a previously unknown vulnerability in the software's web interface. The vulnerability, tracked as CVE-2025-54309, allows attackers to gain administrative access to vulnerable servers without requiring any authentication or authorization.
Spink explained that the vulnerability was inadvertently blocked by a prior fix for another issue related to AS2 in HTTP(S). However, this fix had an unintended consequence of blocking the new zero-day flaw. It is worth noting that CrushFTP has since patched the vulnerability in their latest versions, with the current versions of the software being considered secure.
The attack vector used by threat actors was HTTP(S), which allowed them to exploit the server's web interface to gain access. The attackers were able to use this vulnerability to modify the default user configuration, create new admin-level usernames, and even upload files without authentication.
In order to mitigate the risk of exploitation, CrushFTP recommends that administrators review their upload and download logs for unusual activity and implement the following security measures:
1. IP whitelisting for server and admin access
2. Use of a DMZ instance
3. Enabling automatic updates
However, cybersecurity firm Rapid7 has cautioned against relying solely on a DMZ (demilitarized zone) as a mitigation strategy to prevent exploitation.
The incident highlights the importance of regular patching and cybersecurity best practices. It is crucial for organizations to ensure that their systems are up-to-date with the latest security patches and that all software, including file transfer servers like CrushFTP, is properly configured and monitored.
Furthermore, the attack demonstrates the ongoing threat landscape, where zero-day vulnerabilities remain a significant concern for many organizations. As such, it is essential for businesses to prioritize cybersecurity awareness and invest in robust security measures to protect their systems and data from potential threats.
In light of this incident, CrushFTP has emphasized the need for regular patching and cybersecurity best practices. The company's CEO stated that "as always, we recommend regularly and frequent patching. Anyone who had kept up to date was spared from this exploit."
This alert serves as a warning to organizations that use CrushFTP or other file transfer servers with similar vulnerabilities. It is essential for these organizations to take immediate action to patch their systems, monitor their logs, and implement robust security measures to prevent potential breaches.
In conclusion, the recent exploitation of the CrushFTP zero-day vulnerability highlights the importance of regular patching, cybersecurity best practices, and robust security measures. Organizations must prioritize their cybersecurity posture to protect themselves from potential threats and data breaches.
Related Information:
https://www.ethicalhackingnews.com/articles/CrushFTP-Zero-Day-Exploited-in-Coordinated-Attack-Campaigns-to-Gain-Admin-Access-on-ServersThe-Vulnerability-and-Its-Consequences-An-In-Depth-Analysis-ehn.shtml
https://www.bleepingcomputer.com/news/security/crushftp-zero-day-exploited-in-attacks-to-gain-admin-access-on-servers/
https://nvd.nist.gov/vuln/detail/CVE-2025-54309
https://www.cvedetails.com/cve/CVE-2025-54309/
Published: Fri Jul 18 19:07:31 2025 by llama3.2 3B Q4_K_M
