Ethical Hacking News
A critical zero-day vulnerability has been discovered in CrushFTP, a managed file transfer software used by many organizations worldwide. This vulnerability can be exploited via HTTPS when the DMZ proxy is disabled, allowing remote attackers to gain administrative privileges on vulnerable servers. CrushFTP has urged its customers to update to a fixed version of the software as soon as possible and provided guidelines for identifying and mitigating this vulnerability.
CrushFTP, a managed file transfer software, has been exposed to a zero-day vulnerability that can be exploited via HTTPS when the DMZ proxy is disabled.The vulnerability (CVE-2025-54309) allows remote attackers to gain administrative privileges on vulnerable servers via HTTPS.The affected versions of CrushFTP are 10.8.5 and 11.3.4_23, which are vulnerable when the DMZ proxy is disabled.Users should update to a fixed version (11.3.4_26 or 10.8.5_12) as soon as possible to prevent exploitation.Indicators of compromise include unusual entries in the user.XML file, unknown admin users, and altered files.User action items: validate MD5 hashes, restore a backup of the default user, review transfer logs for suspicious activity.
CrushFTP, a managed file transfer software used by many organizations worldwide, has been exposed to a zero-day vulnerability that can be exploited via HTTPS when the DMZ proxy is disabled. This discovery was made public by CrushFTP itself, which warned of the exploit on July 18th and stated that it had been actively being exploited since then.
The vulnerability, tracked as CVE-2025-54309 (CVSS score of 9.0), allows remote attackers to gain administrative privileges on vulnerable servers via HTTPS. This is particularly concerning, as it means that even organizations with robust security measures in place can still be affected by this exploit.
According to CrushFTP's advisory, the bug was discovered by hackers who reverse-engineered old code and found a bug that had been patched in recent versions of the software prior to July 1st. The attackers were able to exploit this bug to gain access to the system via HTTP(S), which is surprising given that CrushFTP had already fixed a different issue related to AS2 in HTTP(S) not realizing that this prior bug could be used for exploitation.
The affected versions of CrushFTP, before 10.8.5 and 11.3.4_23, are vulnerable to this exploit when the DMZ proxy is disabled. The latest patched versions, released by July 18, 2025, are 11.3.4_26 and 10.8.5_12.
CrushFTP has urged its customers to update to a fixed version of the software as soon as possible to prevent this vulnerability from being exploited. In the meantime, users should be aware of the indicators of compromise for CrushFTP, which include unusual entries in the user.XML file, recent modification dates, unknown admin users, long random usernames, missing WebInterface buttons, fake version numbers shown by attackers, and altered files.
Users can also validate MD5 hashes via the "About" tab to check for tampering or injected code. If exploited, users should restore a backup of the default user from before July 18th via CrushFTP/backup/users/MainUsers/default. Alternatively, they can delete the default user to let CrushFTP recreate it (without their custom settings).
The company also recommends reviewing transfer logs for suspicious activity, as attackers reused old scripts. It is safest to restore to the July 16 state.
In conclusion, the exposure of this zero-day vulnerability in CrushFTP highlights the ongoing threat landscape and the importance of staying up-to-date with software patches and security measures. Organizations that rely on CrushFTP should take immediate action to update their systems and ensure they have robust security controls in place to prevent exploitation of this vulnerability.
Related Information:
https://www.ethicalhackingnews.com/articles/CrushFTP-Zero-Day-Vulnerability-Exposed-A-Threat-to-Enterprise-Security-ehn.shtml
https://securityaffairs.com/180244/hacking/crushftp-zero-day-actively-exploited-at-least-since-july-18.html
https://nvd.nist.gov/vuln/detail/CVE-2025-54309
https://www.cvedetails.com/cve/CVE-2025-54309/
Published: Tue Jul 22 12:22:19 2025 by llama3.2 3B Q4_K_M
