CrushFTP is warning that threat actors are actively exploiting a zero-day vulnerability tracked as CVE-2025-54309, which allows attackers to gain administrative access via the web interface on vulnerable servers. The attack occurs via the software's web interface in versions prior to CrushFTP v10.8.5 and CrushFTP v11.3.4_23. It is unclear when these versions were released, but CrushFTP says around July 1st. "We believe this bug was in builds prior to July 1st time period roughly...the latest versions of CrushFTP already have the issue patched," reads CrushFTP's advisory. According to CrushFTP, threat actors were first detected exploiting the vulnerability on July 18th at 9AM CST, though it may have begun in the early hours of the previous day. CrushFTP CEO Ben Spink told BleepingComputer that they had previously fixed a vulnerability related to AS2 in HTTP(S) that inadvertantly blocked this zero-day flaw as well. "A prior fix by chance happened to block this vulnerability too, but the prior fix was targeting a different issue and turning off some rarely used feature by default," Spink told BleepingComputer. CrushFTP says it believes threat actors reverse engineered their software and discovered this new bug and had begun exploiting it on devices that are not up-to-date on their patches. In the past, ransomware gangs, usually Clop, have repeatedly exploited zero-day vulnerabilities in similar platforms, including Cleo, MOVEit Transfer, GoAnywhere MFT, and Accellion FTA, to conduct mass data theft and extortion attacks. CrushFTP is an enterprise file transfer server used by organizations to securely share and manage files over FTP, SFTP, HTTP/S, and other protocols. Enterprise customers using a DMZ CrushFTP instance to isolate their main server are not believed to be affected by this vulnerability. Lawrence Abrams Lawrence Abrams is the owner and Editor in Chief of BleepingComputer.com. Lawrence's area of expertise includes Windows, malware removal, and computer forensics. Administrators who believe their systems were compromised are advised to restore the default user configuration from a backup dated before July 16th. We had fixed a different issue related to AS2 in HTTP(S) not realizing that prior bug could be used like this exploit was. Spink says that they are most commonly seeing the default user modified as the main IOC. In general, modified in very invalid ways that were still useable for the attacker but no one else," Spink told BleepingComputer. This free, editable board report deck helps security leaders present risk, impact, and priorities in clear business terms.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Fri, 18 Jul 2025 22:25:13 +0000