CyberSecurityBoard
Sponsor Register Login

New CrushFTP zero-day exploited in attacks to hijack servers

The attack occurs via the software's web interface in versions prior to CrushFTP v10.8.5 and CrushFTP v11.3.4_23. It is unclear when these versions were released, but CrushFTP says around July 1st. CrushFTP is warning that threat actors are actively exploiting a zero-day vulnerability tracked as CVE-2025-54309, which allows attackers to gain administrative access via the web interface on vulnerable servers. "We believe this bug was in builds prior to July 1st time period roughly...the latest versions of CrushFTP already have the issue patched," reads CrushFTP's advisory. According to CrushFTP, threat actors were first detected exploiting the vulnerability on July 18th at 9AM CST, though it may have begun in the early hours of the previous day. CrushFTP CEO Ben Spink told BleepingComputer that they had previously fixed a vulnerability related to AS2 in HTTP(S) that inadvertantly blocked this zero-day flaw as well. "A prior fix by chance happened to block this vulnerability too, but the prior fix was targeting a different issue and turning off some rarely used feature by default," Spink told BleepingComputer. CrushFTP says it believes threat actors reverse engineered their software and discovered this new bug and had begun exploiting it on devices that are not up-to-date on their patches. CrushFTP is an enterprise file transfer server used by organizations to securely share and manage files over FTP, SFTP, HTTP/S, and other protocols. Enterprise customers using a DMZ CrushFTP instance to isolate their main server are not believed to be affected by this vulnerability. In the past, ransomware gangs, usually Clop, have repeatedly exploited zero-day vulnerabilities in similar platforms, including Cleo, MOVEit Transfer, GoAnywhere MFT, and Accellion FTA, to conduct mass data theft and extortion attacks. Lawrence Abrams Lawrence Abrams is the owner and Editor in Chief of BleepingComputer.com. Lawrence's area of expertise includes Windows, malware removal, and computer forensics. Administrators who believe their systems were compromised are advised to restore the default user configuration from a backup dated before July 16th. We had fixed a different issue related to AS2 in HTTP(S) not realizing that prior bug could be used like this exploit was. Spink says that they are most commonly seeing the default user modified as the main IOC.

This Cyber News was published on www.bleepingcomputer.com. Publication date: Sat, 19 Jul 2025 02:50:26 +0000


Cyber News related to New CrushFTP zero-day exploited in attacks to hijack servers

New CrushFTP zero-day exploited in attacks to hijack servers - The attack occurs via the software's web interface in versions prior to CrushFTP v10.8.5 and CrushFTP v11.3.4_23. It is unclear when these versions were released, but CrushFTP says around July 1st. CrushFTP is warning that threat actors are ...
3 weeks ago Bleepingcomputer.com CVE-2025-54309
Check Point released hotfix for actively exploited VPN zero-day - MUST READ. Check Point released hotfix for actively exploited VPN zero-day. Microsoft Patch Tuesday security updates for May 2024 fixes 2 actively exploited zero-days. Critical Fortinet's FortiClient EMS flaw actively exploited in the wild. Apple ...
1 year ago Securityaffairs.com CVE-2024-23222 CVE-2023-22515 CVE-2023-40044 CVE-2023-20109
CrushFTP zero-day exploited in attacks to gain admin access on servers - The attack occurs via the software's web interface in versions prior to CrushFTP v10.8.5 and CrushFTP v11.3.4_23. It is unclear when these versions were released, but CrushFTP says around July 1st. CrushFTP is warning that threat actors are ...
3 weeks ago Bleepingcomputer.com CVE-2025-54309
CrushFTP zero-day exploited to gain admin access on servers - CrushFTP is warning that threat actors are actively exploiting a zero-day vulnerability tracked as CVE-2025-54309, which allows attackers to gain administrative access via the web interface on vulnerable servers. The attack occurs via the software's ...
3 weeks ago Bleepingcomputer.com CVE-2025-54309
Over 1,000 CrushFTP servers exposed to ongoing hijack attacks - The security vulnerability (CVE-2025-54309) is due to mishandled AS2 validation and impacts all CrushFTP versions below 10.8.5 and 11.3.4_23. The vendor tagged the flaw as actively exploited in the wild on July 19th, noting ...
2 weeks ago Bleepingcomputer.com CVE-2025-54309
CrushFTP warns users to patch unauthenticated access flaw immediately - In November 2023, CrushFTP customers were also warned to patch a critical remote code execution vulnerability (CVE-2023-43177) in the company's enterprise suite after Converge security researchers who reported the flaw released a proof-of-concept ...
4 months ago Bleepingcomputer.com CVE-2023-43177
Critical auth bypass bug in CrushFTP now exploited in attacks - CrushFTP customers were also warned to patch a critical remote code execution bug (CVE-2023-43177) in the company's enterprise suite in November 2023 after Converge security researchers (who discovered and reported the flaw) released a ...
4 months ago Bleepingcomputer.com CVE-2023-43177
New MOVEit Transfer critical bug is actively exploited - MUST READ. New MOVEit Transfer critical bug is actively exploited. CISA adds Microsoft SharePoint bug disclosed at Pwn2Own to its Known Exploited Vulnerabilities catalog. Critical Fortinet's FortiClient EMS flaw actively exploited in the wild. PoC ...
1 year ago Securityaffairs.com CVE-2020-3259 CVE-2023-22515 CVE-2023-40044 CVE-2023-20109 Rocke
Exploit for CrushFTP RCE chain released, patch now - A proof-of-concept exploit was publicly released for a critical remote code execution vulnerability in the CrushFTP enterprise suite, allowing unauthenticated attackers to access files on the server, execute code, and obtain plain-text passwords. The ...
1 year ago Bleepingcomputer.com CVE-2023-43177
Days After Google, Apple Reveals Exploited Zero-Day in Browser Engine - Apple has patched an actively exploited zero-day bug in its WebKit browser engine for Safari. Actively Exploited Apple yesterday described the vulnerability as something an attacker could exploit to execute arbitrary code on affected systems. ...
1 year ago Darkreading.com CVE-2024-23222
10 of the biggest zero-day attacks of 2023 - Here are 10 of the biggest zero-day attacks of 2023 in chronological order. Zero-day attacks started strong in 2023 with CVE-2023-0669, a pre-authentication command injection vulnerability in Fortra's GoAnywhere managed file transfer product. ...
1 year ago Techtarget.com CVE-2023-0669 CVE-2023-34362 CVE-2023-36884 CVE-2023-4863 CVE-2023-41992 CVE-2023-41991 CVE-2023-41993 CVE-2023-22515
Apple fixes Safari WebKit zero-day flaw exploited at Pwn2Own - Apple has released security updates to fix a zero-day vulnerability in the Safari web browser exploited during this year's Pwn2Own Vancouver hacking competition. The company addressed the security flaw on systems running macOS Monterey and macOS ...
1 year ago Bleepingcomputer.com CVE-2024-27834
North Korean Kimsuky used a new Linux backdoor in recent attacks - Russia-linked APT28 used post-compromise tool GooseEgg to exploit CVE-2022-38028 Windows flaw. Threat actors exploited Palo Alto Pan-OS issue to deploy a Python Backdoor. Microsoft fixed two zero-day bugs exploited in malware attacks. HTTP/2 ...
1 year ago Securityaffairs.com CVE-2022-38028 CVE-2020-3259 CVE-2023-22515 APT28 APT29 BianLian
Sav-Rx data breach impacted over 2.8 million individuals - Microsoft Patch Tuesday security updates for May 2024 fixes 2 actively exploited zero-days. Nation-state actors exploited two zero-days in ASA and FTD firewalls to breach government networks. Microsoft fixed two zero-day bugs exploited in malware ...
1 year ago Securityaffairs.com CVE-2020-3259 CVE-2023-22515 APT29 BianLian
newsletter Round 473 by Pierluigi Paganini - Microsoft Patch Tuesday security updates for May 2024 fixes 2 actively exploited zero-days. Microsoft fixed two zero-day bugs exploited in malware attacks. HTTP/2 CONTINUATION Flood technique can be exploited in DoS attacks. BianLian group exploits ...
1 year ago Securityaffairs.com CVE-2020-3259 CVE-2023-46747 CVE-2023-46748 CVE-2023-22515 APT29 Rocke BianLian
New CrushFTP 0-Day Vulnerability Exploited in the Wild to Gain Access to Servers - A critical zero-day flaw in the CrushFTP managed file-transfer platform was confirmed after vendor and threat-intelligence sources confirmed active exploitation beginning on 18 July 2025 at 09:00 CST. Shadowserver honeypots began recording ...
3 weeks ago Cybersecuritynews.com CVE-2025-31161
Healthcare firm WebTPA data breach impacted 2.5M individuals - Microsoft Patch Tuesday security updates for May 2024 fixes 2 actively exploited zero-days. CISA adds GitLab flaw to its Known Exploited Vulnerabilities catalog. Nation-state actors exploited two zero-days in ASA and FTD firewalls to breach ...
1 year ago Securityaffairs.com CVE-2020-3259 CVE-2023-22515 APT29 BianLian
newsletter Round 478 by Pierluigi Paganini - Microsoft Patch Tuesday security updates for May 2024 fixes 2 actively exploited zero-days. Microsoft fixed two zero-day bugs exploited in malware attacks. HTTP/2 CONTINUATION Flood technique can be exploited in DoS attacks. BianLian group exploits ...
1 year ago Securityaffairs.com CVE-2020-3259 CVE-2024-0204 CVE-2023-49103 CVE-2023-38831 CVE-2023-22515 APT29 BianLian
LockBit group falsely claimed the hack of the Federal Reserve - LockBit gang claimed responsibility for the attack on City of Wichita. Microsoft fixed two zero-day bugs exploited in malware attacks. HTTP/2 CONTINUATION Flood technique can be exploited in DoS attacks. BianLian group exploits JetBrains TeamCity ...
1 year ago Securityaffairs.com CVE-2020-3259 CVE-2023-22515 APT28 APT29 LockBit BianLian Siegedsec
Russia-linked group APT29 likely breached TeamViewer - Microsoft fixed two zero-day bugs exploited in malware attacks. HTTP/2 CONTINUATION Flood technique can be exploited in DoS attacks. Finnish police linked APT31 to the 2021 parliament attack. BianLian group exploits JetBrains TeamCity bugs in ...
1 year ago Securityaffairs.com CVE-2020-3259 CVE-2023-22515 APT28 APT29 APT3 BianLian
Cisco discloses new IOS XE zero-day exploited to deploy malware implant - Cisco disclosed a new high-severity zero-day today, actively exploited to deploy malicious implants on IOS XE devices compromised using the CVE-2023-20198 zero-day unveiled earlier this week. The company said it found a fix for both vulnerabilities ...
1 year ago Bleepingcomputer.com CVE-2023-20198 CVE-2023-20273 CVE-2021-1435
Samsung Galaxy S23 hacked two more times at Pwn2Own Toronto - Security researchers hacked the Samsung Galaxy S23 smartphone two more times on the second day of the Pwn2Own 2023 hacking competition in Toronto, Canada. The contestants also demoed zero-day bugs in printers, routers, smart speakers, surveillance ...
1 year ago Bleepingcomputer.com
newsletter Round 474 by Pierluigi Paganini - Microsoft Patch Tuesday security updates for May 2024 fixes 2 actively exploited zero-days. Microsoft fixed two zero-day bugs exploited in malware attacks. HTTP/2 CONTINUATION Flood technique can be exploited in DoS attacks. Critical Fortinet's ...
1 year ago Securityaffairs.com CVE-2020-3259 CVE-2023-49103 CVE-2023-22515 APT28 APT29 BianLian
Microsoft fixes Windows zero-day exploited in QakBot malware attacks - Microsoft has fixed a zero-day vulnerability exploited in attacks to deliver QakBot and other malware payloads on vulnerable Windows systems. Tracked as CVE-2024-30051, this privilege escalation bug is caused by a heap-based buffer overflow in the ...
1 year ago Bleepingcomputer.com CVE-2024-30051 CVE-2023-36033 RansomEXX Black Basta
BreachForums resurrected after FBI seizure - Russia-linked APT28 used post-compromise tool GooseEgg to exploit CVE-2022-38028 Windows flaw. Microsoft fixed two zero-day bugs exploited in malware attacks. HTTP/2 CONTINUATION Flood technique can be exploited in DoS attacks. BianLian group ...
1 year ago Securityaffairs.com CVE-2022-38028 CVE-2020-3259 CVE-2024-0204 CVE-2023-38831 CVE-2023-22515 APT28 APT29 BianLian

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)