CyberSecurityBoard
Sponsor Register Login

Over 1,000 CrushFTP servers exposed to ongoing hijack attacks

The security vulnerability (CVE-2025-54309) is due to mishandled AS2 validation and impacts all CrushFTP versions below 10.8.5 and 11.3.4_23. The vendor tagged the flaw as actively exploited in the wild on July 19th, noting that attacks may have begun earlier, although it has yet to find evidence to confirm this. However, CrushFTP added last week that servers that have been kept up to date are not vulnerable to attacks, stating that customers who use a demilitarized zone (DMZ) instance to isolate their main server aren't impacted by this vulnerability. For instance, the Clop cybercrime gang alone has been linked to multiple data theft campaigns targeting zero-day flaws in Accelion FTA, ​​​​​GoAnywhere MFT, MOVEit Transfer, and, most recently, Cleo software. While it's unclear if these ongoing attacks deploy malware or were used for data theft, managed file transfer solutions like CrushFTP have been high-value targets for ransomware gangs in recent years. Over 1,000 CrushFTP instances currently exposed online are vulnerable to hijack attacks that exploit a critical security bug, providing admin access to the web interface. According to scans from the security threat monitoring platform Shadowserver, approximately 1,040 CrushFTP instances remain unpatched against CVE-2025-54309 and are vulnerable to attacks. At the time, the cybersecurity company CrowdStrike found evidence that the attacks, which targeted CrushFTP instances at multiple U.S. organizations and focused on intelligence gathering, were likely politically motivated. ShadowServer is now notifying CrushFTP customers that their servers are unprotected against ongoing CVE-2025-54309 exploitation, exposing their contents to data theft attempts. One year ago, in April 2024, CrushFTP also patched an actively exploited zero-day (tracked as CVE-2024-4040) that allowed unauthenticated attackers to escape the user's virtual file system (VFS) and download system files. The company also recommends reviewing upload and download logs for unusual activity, as well as enabling automatic updates and whitelisting IPs for server and admin access to further mitigate exploitation attempts.

This Cyber News was published on www.bleepingcomputer.com. Publication date: Mon, 21 Jul 2025 11:35:14 +0000


Cyber News related to Over 1,000 CrushFTP servers exposed to ongoing hijack attacks

Over 1,000 CrushFTP servers exposed to ongoing hijack attacks - The security vulnerability (CVE-2025-54309) is due to mishandled AS2 validation and impacts all CrushFTP versions below 10.8.5 and 11.3.4_23. The vendor tagged the flaw as actively exploited in the wild on July 19th, noting ...
3 weeks ago Bleepingcomputer.com CVE-2025-54309
New CrushFTP zero-day exploited in attacks to hijack servers - The attack occurs via the software's web interface in versions prior to CrushFTP v10.8.5 and CrushFTP v11.3.4_23. It is unclear when these versions were released, but CrushFTP says around July 1st. CrushFTP is warning that threat actors are ...
3 weeks ago Bleepingcomputer.com CVE-2025-54309
CrushFTP zero-day exploited in attacks to gain admin access on servers - The attack occurs via the software's web interface in versions prior to CrushFTP v10.8.5 and CrushFTP v11.3.4_23. It is unclear when these versions were released, but CrushFTP says around July 1st. CrushFTP is warning that threat actors are ...
3 weeks ago Bleepingcomputer.com CVE-2025-54309
CrushFTP zero-day exploited to gain admin access on servers - CrushFTP is warning that threat actors are actively exploiting a zero-day vulnerability tracked as CVE-2025-54309, which allows attackers to gain administrative access via the web interface on vulnerable servers. The attack occurs via the software's ...
3 weeks ago Bleepingcomputer.com CVE-2025-54309
Critical auth bypass bug in CrushFTP now exploited in attacks - CrushFTP customers were also warned to patch a critical remote code execution bug (CVE-2023-43177) in the company's enterprise suite in November 2023 after Converge security researchers (who discovered and reported the flaw) released a ...
4 months ago Bleepingcomputer.com CVE-2023-43177
CrushFTP warns users to patch unauthenticated access flaw immediately - In November 2023, CrushFTP customers were also warned to patch a critical remote code execution vulnerability (CVE-2023-43177) in the company's enterprise suite after Converge security researchers who reported the flaw released a proof-of-concept ...
4 months ago Bleepingcomputer.com CVE-2023-43177
Exploit for CrushFTP RCE chain released, patch now - A proof-of-concept exploit was publicly released for a critical remote code execution vulnerability in the CrushFTP enterprise suite, allowing unauthenticated attackers to access files on the server, execute code, and obtain plain-text passwords. The ...
1 year ago Bleepingcomputer.com CVE-2023-43177
New CrushFTP 0-Day Vulnerability Exploited in the Wild to Gain Access to Servers - A critical zero-day flaw in the CrushFTP managed file-transfer platform was confirmed after vendor and threat-intelligence sources confirmed active exploitation beginning on 18 July 2025 at 09:00 CST. Shadowserver honeypots began recording ...
3 weeks ago Cybersecuritynews.com CVE-2025-31161
9 Best DDoS Protection Service Providers for 2024 - eSecurity Planet content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More. One of the most powerful defenses an organization can employ against distributed ...
1 year ago Esecurityplanet.com
CISA, experts warn of Crush file transfer attacks as ransomware gang makes threats | The Record from Recorded Future News - Someone else looking for some fame, it seems, managed to reverse engineer our changes that we had bundled up and published a public disclosure detailing the exploit method and taking credit for the vulnerability,” a spokesperson for CrushFTP told ...
4 months ago Therecord.media CVE-2025-31161
CrushFTP 0-Day RCE Vulnerability Technical Details and PoC Released - This vulnerability achieves its critical CVSS 9.8 rating due to three key factors: no authentication requirements, remote accessibility from anywhere on the internet, and complete system compromise through RCE capabilities. The exploit tool supports ...
1 week ago Cybersecuritynews.com CVE-2025-54309
CISA Warns of CrushFTP Authentication Bypass Vulnerability Exploited in Attacks - As file transfer applications remain attractive targets for threat actors, organizations should maintain vigilance and promptly apply security updates to mitigate potential compromise through this critical vulnerability. Designated as CVE-2025-31161, ...
4 months ago Cybersecuritynews.com CVE-2025-31161
CrushFTP HTTPS Port Vulnerability Leads to Unauthorized Access - As of March 25, 2025, neither vulnerability is known to have been exploited in the wild, but security professionals emphasize that rapid patching is essential given the critical nature of these file transfer systems and the history of similar ...
4 months ago Cybersecuritynews.com
Over 40,000 Cisco IOS XE devices infected with backdoor using zero-day - More than 40,000 Cisco devices running the IOS XE operating system have been compromised after hackers exploited a recently disclosed maximum severity vulnerability tracked as CVE-2023-20198. There is no patch or a workaround available and the only ...
1 year ago Bleepingcomputer.com CVE-2023-20198
CVE-2021-20698 - Sharp NEC Displays (UN462A R1.300 and prior to it, UN462VA R1.300 and prior to it, UN492S R1.300 and prior to it, UN492VS R1.300 and prior to it, UN552A R1.300 and prior to it, UN552S R1.300 and prior to it, UN552VS R1.300 and prior to it, UN552 ...
2 years ago
CVE-2021-20699 - Sharp NEC Displays ((UN462A R1.300 and prior to it, UN462VA R1.300 and prior to it, UN492S R1.300 and prior to it, UN492VS R1.300 and prior to it, UN552A R1.300 and prior to it, UN552S R1.300 and prior to it, UN552VS R1.300 and prior to it, UN552 ...
2 years ago
Samsung Galaxy S23 hacked twice on first day of Pwn2Own Toronto - Security researchers hacked the Samsung Galaxy S23 twice during the first day of the consumer-focused Pwn2Own 2023 hacking contest in Toronto, Canada. They also demoed exploits and vulnerability chains targeting zero-days in Xiaomi's 13 Pro ...
1 year ago Bleepingcomputer.com
CrushFTP Vulnerability Exploited to Bypass Authentication - CrushFTP addressed this vulnerability in version 11.3.1 by adding a new security parameter s3_auth_lookup_password_supported set to false by default and implementing proper security checks in the authentication flow. A critical vulnerability ...
4 months ago Cybersecuritynews.com CVE-2025-2825
Over 1,200 SAP NetWeaver servers vulnerable to actively exploited flaw - Researchers reported that the threat actors are utilizing webshells with names like, "cache.jsp" and "helper.jsp." Howver, Nextron Research says they are also using random names, making it more difficult to find vulnerable Netweaver ...
3 months ago Bleepingcomputer.com CVE-2025-31324
Over 20,000 vulnerable Microsoft Exchange servers exposed to attacks - Tens of thousands of Microsoft Exchange email servers in Europe, the U.S., and Asia exposed on the public internet are vulnerable to remote code execution flaws. The mail systems run a software version that is currently unsupported and no longer ...
1 year ago Bleepingcomputer.com CVE-2021-26855 CVE-2021-27065
49 unique zero-days Uncovered in Pwn2Own Automotive - On the final day of Pwn2Own Automotive 2024 - Day 3, researchers were granted $1,323,750 in rewards for identifying 49 distinct zero-days. Particularly, the infotainment system and modem of Tesla were attacked by the Synacktiv team, and each ...
1 year ago Cybersecuritynews.com
JetBrains warns of new TeamCity auth bypass vulnerability - JetBrains urged customers today to patch their TeamCity On-Premises servers against a critical authentication bypass vulnerability that can let attackers take over vulnerable instances with admin privileges. Tracked as CVE-2024-23917, this critical ...
1 year ago Bleepingcomputer.com CVE-2024-23917 CVE-2023-42793 Andariel APT29
Hugging Face API tokens exposed, major projects vulnerable The Register - The API tokens of tech giants Meta, Microsoft, Google, VMware, and more have been found exposed on Hugging Face, opening them up to potential supply chain attacks. Researchers at Lasso Security found more than 1,500 exposed API tokens on the open ...
1 year ago Go.theregister.com
Exploit released for critical Cisco IOS XE flaw, many hosts still hacked - Public exploit code is now available for the critical Cisco IOS XE vulnerability tracked as CVE-2023-20198 that was leveraged as a zero-day to hack tens of thousands of devices. Cisco released patches for most releases of its IOS XE software but ...
1 year ago Bleepingcomputer.com CVE-2023-20198
Recently patched CUPS flaw can be used to amplify DDoS attacks - As Akamai security researchers found, a CVE-2024-47176 security flaw in the cups-browsed daemon that can be chained with three other bugs to gain remote code execution on Unix-like systems via a single UDP packet can also be leveraged to ...
10 months ago Bleepingcomputer.com CVE-2024-47176

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)