CrushFTP over the weekend warned that hackers have been exploiting a zero-day vulnerability in its managed file transfer software to gain administrative access to vulnerable servers.
Tracked as CVE-2025-54309 (CVSS score of 9.0), the flaw is described as the mishandling of AS2 validation when the DMZ proxy feature is not used, which allows remote attackers to obtain administrative privileges over HTTPS.
According to CrushFTP, the security defect exists in builds released prior to July 1, and was patched in recent releases of the software, albeit the attack vector was not addressed.
“The attack vector was HTTP(S) for how they could exploit the server. We had fixed a different issue related to AS2 in HTTP(S) not realizing that the prior bug could be used like this exploit was,” CrushFTP notes in its advisory.
The firm believes that threat actors likely reverse-engineered its code and discovered they could exploit the bug against unpatched instances.
“Hackers apparently saw our code change, and figured out a way to exploit the prior bug,” CrushFTP says.
According to the company, only instances that are not using a DMZ in front of the application are at risk of exploitation.
CrushFTP says it first observed in-the-wild attacks on the morning of July 18, but the exploitation might have started earlier. CrushFTP versions 10 prior to 10.8.5 and versions 11 prior to 11.3.4_23 are impacted. Patches were included in CrushFTP versions 10.8.5_12 and 11.3.4_26.
Indicators of compromise (IoCs) include the presence of ‘last_logins’ entries in the default user’s XML file, a modified timestamp for the file, administrative access for the default user, the presence of long random userIDs, the existence of new usernames with admin access, the disappearance of buttons from the end-user web interface, and an admin button for regular users.
Additionally, the company explains that attackers have been observed modifying the software’s version to give a false sense of security, encouraging administrators to check the MD5 hashes for potential tampering.
Administrators should restore a default user from previous backups, or simply delete the default user, albeit that would also erase prior customizations to it.
“Review upload/download reports for anything transferred. Hackers re-used scripts from prior exploits to deploy things on CrushFTP servers. We recommend restoring the July 16th time-period just to avoid anything that might have been done. While we saw the major bulk of exploits in the morning of July 18th, the actual exploits may have been occurring a day earlier while administrators were asleep,” CrushFTP notes.
Administrators are also advised to implement IP limits for administrative accounts, filter IPs allowed to connect to the server, use a DMZ CrushFTP instance in front of the file transfer tool, and enable automatic updates to always stay on the latest application release.
Related: Over 1,400 CrushFTP Instances Vulnerable to Exploited Zero-Day
Related: CrushFTP Patches Exploited Zero-Day Vulnerability
Related: SharePoint Under Attack: Microsoft Warns of Zero-Day Exploited in the Wild – No Patch Available
Related: Grafana Patches Chromium Bugs, Including Zero-Day Exploited in the Wild
