CrushFTP is warning that risk actors are actively exploiting a zero-day vulnerability tracked as CVE-2025-54309, which permits attackers to achieve administrative entry by way of the net interface on weak servers.
CrushFTP is an enterprise file switch server utilized by organizations to securely share and handle information over FTP, SFTP, HTTP/S, and different protocols.
In response to CrushFTP, risk actors have been first detected exploiting the vulnerability on July 18th at 9AM CST, although it could have begun within the early hours of yesterday.
CrushFTP CEO Ben Spink instructed BleepingComputer that they’d beforehand fastened a vulnerability associated to AS2 in HTTP(S) that inadvertantly blocked this zero-day flaw as properly.
“A previous repair by probability occurred to dam this vulnerability too, however the prior repair was concentrating on a special difficulty and turning off some hardly ever used characteristic by default,” Spink instructed BleepingComputer.
CrushFTP says it believes risk actors reverse engineered their software program and found this new bug and had begun exploiting it on units that aren’t up-to-date on their patches.
“We imagine this bug was in builds previous to July 1st time interval roughly…the most recent variations of CrushFTP have already got the difficulty patched,” reads CrushFTP’s advisory.
“The assault vector was HTTP(S) for a way they might exploit the server. We had fastened a special difficulty associated to AS2 in HTTP(S) not realizing that prior bug may very well be used like this exploit was. Hackers apparently noticed our code change, and discovered a strategy to exploit the prior bug.
“As all the time we advocate commonly and frequent patching. Anybody who had stored updated was spared from this exploit.”
The assault happens by way of the software program’s internet interface in variations previous to CrushFTP v10.8.5 and CrushFTP v11.3.4_23. It’s unclear when these variations have been launched, however CrushFTP says round July 1st.
CrushFTP stresses that techniques which have been stored updated aren’t weak.
Enterprise prospects utilizing a DMZ CrushFTP occasion to isolate their major server aren’t believed to be affected by this vulnerability.
Directors who imagine their techniques have been compromised are suggested to revive the default person configuration from a backup dated earlier than July sixteenth. Indicators of compromise embrace:
- Sudden entries in MainUsers/default/person.XML, particularly latest modifications or a
last_loginsarea - New, unrecognized admin-level usernames reminiscent of 7a0d26089ac528941bf8cb998d97f408m.
Spink says that they’re mostly seeing the default person modified as the principle IOC.
“Generally we have now seen the default person modified as the principle IOC. Generally, modified in very invalid ways in which have been nonetheless useable for the attacker however nobody else,” Spink instructed BleepingComputer.
CrushFTP recommends reviewing the add and obtain logs for uncommon exercise and taking the next steps to mitigate exploitation:
- IP whitelisting for server and admin entry
- Use of a DMZ occasion
- Enabling computerized updates
Nevertheless, cybersecurity agency Rapid7 says utilizing a DMZ might not be a dependable technique to forestall exploitation.
“Out of an abundance of warning, Rapid7 advises towards counting on a demilitarized zone (DMZ) as a mitigation technique,” warned Rapid7.
Presently, it’s unclear if the assaults have been used for information theft or to deploy malware. Nevertheless, managed file switch options have turn into high-value targets for information theft campaigns in recent times.
Prior to now, ransomware gangs, often Clop, have repeatedly exploited zero-day vulnerabilities in related platforms, together with Cleo, MOVEit Switch, GoAnywhere MFT, and Accellion FTA, to conduct mass information theft and extortion assaults.
CISOs know that getting board buy-in begins with a transparent, strategic view of how cloud safety drives enterprise worth.
This free, editable board report deck helps safety leaders current danger, impression, and priorities in clear enterprise phrases. Flip safety updates into significant conversations and sooner decision-making within the boardroom.
