A critical zero-day flaw in the CrushFTP managed file-transfer platform was confirmed after vendor and threat-intelligence sources confirmed active exploitation beginning on 18 July 2025 at 09:00 CST. Shadowserver honeypots began recording exploitation attempts within hours of the CrushFTP disclosure, echoing previous mass-scanning waves that followed the 2025 springtime CVE-2025-31161 authentication bypass. CrushFTP says the issue was inadvertently resolved in builds released around 1 July, but thousands of organisations that delayed updating are now potential targets. Logs indicate that attackers are recycling scripts from earlier CrushFTP campaigns, targeting rapid user creation followed by bulk file downloads or remote shell drops. Installations fronted by a properly configured CrushFTP DMZ instance are believed to block the exploit path, but Rapid7 cautions against relying solely on that architecture as a long-term defence. Rapid7 and Tenable rate the flaw 9.0+ on the CVSS v3.1 scale due to its network vector, zero-click nature, and potential for complete host compromise. Shodan indices reveal more than 5,000 CrushFTP instances online; earlier 2024 data showed at least 1,400 remained unpatched weeks after a critical advisory. When the DMZ proxy feature is not deployed, the exploit grants the intruder administrator privileges, effectively a “God-mode” session from which they can create new users, siphon data, or move laterally inside corporate networks. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. Restore defaults – if compromise is suspected, revert default user from a backup dated before 16 July and purge rogue accounts. The parade of flaws echoes past supply-chain breaches involving MOVEit, GoAnywhere MFT, and Accellion FTA, underscoring the strategic value of file-transfer services to ransomware groups and espionage actors. After reviewing the July code-diff, attackers reverse-engineered the change and discovered a way to route malicious HTTP(S) requests around the intended controls. Monitor – subscribe to vendor and CERT advisories; leverage IDS signatures released by Rapid7 and Tenable for CVE-2025-54309 traffic. CrushFTP’s quick release of build 11.3.4_26 curbs the immediate threat, but enterprises that treat file-transfer appliances as “set-and-forget” utilities remain at risk. For organisations yet to upgrade, the safest assumption is breach restore from backups, rotate credentials, and prepare for potential incident-response investigations.
This Cyber News was published on cybersecuritynews.com. Publication date: Sat, 19 Jul 2025 09:55:13 +0000