CrushFTP is warning that risk actors are actively exploiting a zero-day vulnerability tracked as CVE-2025-54309, which permits attackers to realize administrative entry through the online interface on susceptible servers.
CrushFTP is an enterprise file switch server utilized by organizations to securely share and handle information over FTP, SFTP, HTTP/S, and different protocols.
In keeping with CrushFTP, risk actors have been first detected exploiting the vulnerability on July 18th at 9AM CST, although it might have begun within the early hours of the day gone by.
CrushFTP CEO Ben Spink advised BleepingComputer that they’d beforehand fastened a vulnerability associated to AS2 in HTTP(S) that inadvertantly blocked this zero-day flaw as effectively.
“A previous repair by likelihood occurred to dam this vulnerability too, however the prior repair was focusing on a special problem and turning off some hardly ever used function by default,” Spink advised BleepingComputer.
CrushFTP says it believes risk actors reverse engineered their software program and found this new bug and had begun exploiting it on units that aren’t up-to-date on their patches.
“We imagine this bug was in builds previous to July 1st time interval roughly…the most recent variations of CrushFTP have already got the problem patched,” reads CrushFTP’s advisory.
“The assault vector was HTTP(S) for a way they might exploit the server. We had fastened a special problem associated to AS2 in HTTP(S) not realizing that prior bug might be used like this exploit was. Hackers apparently noticed our code change, and found out a technique to exploit the prior bug.
“As all the time we suggest frequently and frequent patching. Anybody who had saved updated was spared from this exploit.”
The assault happens through the software program’s net interface in variations previous to CrushFTP v10.8.5 and CrushFTP v11.3.4_23. It’s unclear when these variations have been launched, however CrushFTP says round July 1st.
CrushFTP stresses that techniques which have been saved updated aren’t susceptible.
Enterprise prospects utilizing a DMZ CrushFTP occasion to isolate their essential server aren’t believed to be affected by this vulnerability.
Directors who imagine their techniques have been compromised are suggested to revive the default consumer configuration from a backup dated earlier than July sixteenth. Indicators of compromise embody:
- Surprising entries in MainUsers/default/consumer.XML, particularly current modifications or a
last_loginsarea - New, unrecognized admin-level usernames corresponding to 7a0d26089ac528941bf8cb998d97f408m.
Spink says that they’re mostly seeing the default consumer modified as the primary IOC.
“Usually we have now seen the default consumer modified as the primary IOC. Usually, modified in very invalid ways in which have been nonetheless useable for the attacker however nobody else,” Spink advised BleepingComputer.
CrushFTP recommends reviewing the add and obtain logs for uncommon exercise and taking the next steps to mitigate exploitation:
- IP whitelisting for server and admin entry
- Use of a DMZ occasion
- Enabling automated updates
Nonetheless, cybersecurity agency Rapid7 says utilizing a DMZ might not be a dependable technique to stop exploitation.
“Out of an abundance of warning, Rapid7 advises towards counting on a demilitarized zone (DMZ) as a mitigation technique,” warned Rapid7.
Presently, it’s unclear if the assaults have been used for knowledge theft or to deploy malware. Nonetheless, managed file switch options have change into high-value targets for knowledge theft campaigns lately.
Prior to now, ransomware gangs, normally Clop, have repeatedly exploited zero-day vulnerabilities in related platforms, together with Cleo, MOVEit Switch, GoAnywhere MFT, and Accellion FTA, to conduct mass knowledge theft and extortion assaults.
CISOs know that getting board buy-in begins with a transparent, strategic view of how cloud safety drives enterprise worth.
This free, editable board report deck helps safety leaders current threat, influence, and priorities in clear enterprise phrases. Flip safety updates into significant conversations and quicker decision-making within the boardroom.
