Ethical Hacking News
New CrushFTP zero-day exploited in attacks to hijack servers - A severe vulnerability has been exposed in CrushFTP, allowing threat actors to gain administrative access via the web interface on vulnerable servers. Organizations are advised to prioritize patching and stay up-to-date on their security measures to minimize the risk of falling victim to this exploit.
CrushFTP has fallen victim to a severe zero-day vulnerability (CVE-2025-54309) that allows attackers to gain administrative access via the web interface. The exploit was first detected on July 18th, although it's believed attacks may have begun earlier. The vulnerability was discovered by threat actors who reverse engineered CrushFTP software and exploited a prior code change made by the company. Sys admins who suspect their systems were compromised should restore default user config from a backup dated before July 16th. Unusual activity in upload and download logs, new admin usernames, and unauthorized changes to MainUsers/default/user.XML are indicators of compromise. Risk is minimized by keeping software up-to-date, IP whitelisting, using DMZ instances, enabling automatic updates.
CrushFTP, a widely used enterprise file transfer server, has fallen victim to a severe zero-day vulnerability that has been actively exploited by threat actors. The exploit, identified as CVE-2025-54309, allows attackers to gain administrative access via the web interface on vulnerable servers.
According to CrushFTP CEO Ben Spink, the threat actors were first detected exploiting this vulnerability on July 18th at 9AM CST, although it is believed that the attacks may have begun in the early hours of the previous day. Spink explained that a prior fix for a different vulnerability related to AS2 in HTTP(S) inadvertently blocked this zero-day flaw, as well as another rarely used feature by default.
In a statement released by CrushFTP, the company acknowledged that threat actors reverse engineered their software and discovered this new bug, which had begun exploiting it on devices that were not up-to-date on their patches. The company assured users that the latest versions of CrushFTP already have the issue patched.
The attack vector used in this exploit is HTTP(S), specifically targeting the web interface of vulnerable servers. It appears that hackers exploited a prior code change made by CrushFTP, which had fixed a different issue related to AS2 in HTTP(S). The threat actors likely discovered this new vulnerability and figured out a way to exploit it.
CrushFTP emphasizes that systems that have been kept up-to-date are not vulnerable to this exploit. However, administrators who believe their systems were compromised are advised to restore the default user configuration from a backup dated before July 16th. Indicators of compromise include unexpected entries in MainUsers/default/user.XML, especially recent modifications or a last_logins field.
New, unrecognized admin-level usernames such as 7a0d26089ac528941bf8cb998d97f408m have also been detected as indicators of compromise. Spink noted that CrushFTP has seen the default user modified as the main IOC (Indicators of Compromise). The malicious activity often involved invalid modifications that were still usable for attackers but not for legitimate users.
To mitigate exploitation, CrushFTP recommends reviewing upload and download logs for unusual activity and taking the following steps: IP whitelisting for server and admin access, use of a DMZ instance, enabling automatic updates. However, cybersecurity firm Rapid7 cautioned against relying on a DMZ as a mitigation strategy.
Ransomware gangs have repeatedly exploited zero-day vulnerabilities in similar platforms to conduct mass data theft and extortion attacks. The fact that the current exploit is linked to this vulnerability suggests that it may be used for data theft or deployment of malware. It is essential for organizations using CrushFTP to prioritize patching and staying up-to-date on their security measures.
CrushFTP has already patched these vulnerabilities in their latest versions, with around July 1st being the release date. This highlights the importance of regular and frequent patching to prevent such exploits.
In recent years, managed file transfer solutions have become high-value targets for data theft campaigns. The use of zero-day vulnerabilities is a common tactic used by attackers to gain unauthorized access to sensitive information.
The current exploit serves as another reminder of the critical need for organizations to prioritize security measures and stay vigilant against emerging threats. By taking proactive steps to patch their software, review logs for unusual activity, and implement robust security protocols, they can minimize the risk of falling victim to such exploits.
The rise of zero-day vulnerabilities has become an increasingly pressing concern in recent years, with attackers exploiting these vulnerabilities to gain unauthorized access to sensitive information and conduct malicious activities. As security threats continue to evolve, it is essential for organizations to stay informed about emerging vulnerabilities and take proactive steps to mitigate them.
In conclusion, the newly exposed CrushFTP vulnerability highlights the ongoing threat landscape and the need for robust security measures. By understanding the nature of this exploit and taking necessary precautions, organizations can minimize their risk of falling victim to similar attacks in the future.
Related Information:
https://www.ethicalhackingnews.com/articles/New-CrushFTP-Vulnerability-Exposed-A-Zero-Day-Exploit-for-Hijacking-Servers-ehn.shtml
https://www.bleepingcomputer.com/news/security/new-crushftp-zero-day-exploited-in-attacks-to-hijack-servers/
https://nvd.nist.gov/vuln/detail/CVE-2025-54309
https://www.cvedetails.com/cve/CVE-2025-54309/
Published: Fri Jul 18 22:19:31 2025 by llama3.2 3B Q4_K_M
