CrushFTP is warning that risk actors are actively exploiting a zero-day vulnerability tracked as CVE-2025-54309, which permits attackers to achieve administrative entry through the net interface on weak servers.
CrushFTP is an enterprise file switch server utilized by organizations to securely share and handle recordsdata over FTP, SFTP, HTTP/S, and different protocols.
In line with CrushFTP, risk actors have been first detected exploiting the vulnerability on July 18th at 9AM CST, although it might have begun within the early hours of the day prior to this.
CrushFTP CEO Ben Spink informed BleepingComputer that that they had beforehand fastened a vulnerability associated to AS2 in HTTP(S) that inadvertantly blocked this zero-day flaw as nicely.
“A previous repair by likelihood occurred to dam this vulnerability too, however the prior repair was concentrating on a unique difficulty and turning off some hardly ever used function by default,” Spink informed BleepingComputer.
CrushFTP says it believes risk actors reverse engineered their software program and found this new bug and had begun exploiting it on gadgets that aren’t up-to-date on their patches.
“We imagine this bug was in builds previous to July 1st time interval roughly…the newest variations of CrushFTP have already got the problem patched,” reads CrushFTP’s advisory.
“The assault vector was HTTP(S) for a way they might exploit the server. We had fastened a unique difficulty associated to AS2 in HTTP(S) not realizing that prior bug may very well be used like this exploit was. Hackers apparently noticed our code change, and discovered a option to exploit the prior bug.
“As at all times we suggest repeatedly and frequent patching. Anybody who had saved updated was spared from this exploit.”
The assault happens through the software program’s net interface in variations previous to CrushFTP v10.8.5 and CrushFTP v11.3.4_23. It’s unclear when these variations have been launched, however CrushFTP says round July 1st.
CrushFTP stresses that programs which were saved updated aren’t weak.
Enterprise clients utilizing a DMZ CrushFTP occasion to isolate their fundamental server aren’t believed to be affected by this vulnerability.
Directors who imagine their programs have been compromised are suggested to revive the default person configuration from a backup dated earlier than July sixteenth. Indicators of compromise embrace:
- Sudden entries in MainUsers/default/person.XML, particularly latest modifications or a
last_loginssubject - New, unrecognized admin-level usernames reminiscent of 7a0d26089ac528941bf8cb998d97f408m.
Spink says that they’re mostly seeing the default person modified as the principle IOC.
“Basically we’ve got seen the default person modified as the principle IOC. Basically, modified in very invalid ways in which have been nonetheless useable for the attacker however nobody else,” Spink informed BleepingComputer.
CrushFTP recommends reviewing the add and obtain logs for uncommon exercise and taking the next steps to mitigate exploitation:
- IP whitelisting for server and admin entry
- Use of a DMZ occasion
- Enabling computerized updates
Nonetheless, cybersecurity agency Rapid7 says utilizing a DMZ will not be a dependable technique to forestall exploitation.
“Out of an abundance of warning, Rapid7 advises towards counting on a demilitarized zone (DMZ) as a mitigation technique,” warned Rapid7.
Right now, it’s unclear if the assaults have been used for information theft or to deploy malware. Nonetheless, managed file switch options have grow to be high-value targets for information theft campaigns in recent times.
Previously, ransomware gangs, normally Clop, have repeatedly exploited zero-day vulnerabilities in related platforms, together with Cleo, MOVEit Switch, GoAnywhere MFT, and Accellion FTA, to conduct mass information theft and extortion assaults.
CISOs know that getting board buy-in begins with a transparent, strategic view of how cloud safety drives enterprise worth.
This free, editable board report deck helps safety leaders current danger, influence, and priorities in clear enterprise phrases. Flip safety updates into significant conversations and quicker decision-making within the boardroom.
