Over 1,000 CrushFTP servers exposed online are currently vulnerable to hijacking attacks that exploit a critical flaw, giving attackers administrative access to the web interface.
The flaw, tracked as CVE-2025-54309, stems from improper AS2 validation and affects all versions below CrushFTP 10.8.5 and 11.3.4_23. The vendor marked the vulnerability as actively exploited on July 19th, though the attacks may have started earlier. However, no confirmed evidence has been found to determine the exact timeline.
According to CrushFTP’s advisory, “On July 18th at 9 AM CST, we observed a zero-day exploit in the wild. It’s possible the activity began earlier. Attackers apparently reverse-engineered our code and found a bug we had already addressed. They are targeting users who haven’t updated. As always, we recommend staying current with updates. Those who did were not affected.”
The company also clarified that customers using up-to-date DMZ instances to isolate their main servers are not vulnerable. Additional recommendations include enabling auto-updates, whitelisting IPs for server and admin access, and reviewing upload/download logs for suspicious activity.
Security platform Shadowserver reports that roughly 1,040 CrushFTP servers remain unpatched and susceptible to this vulnerability. The group is now alerting affected customers, warning that their systems may be exposed to data breaches.
Although it's unclear whether these attacks involved malware or data theft, managed file transfer systems like CrushFTP have been frequent targets for ransomware groups. The Clop gang, for example, has launched multiple campaigns exploiting zero-day vulnerabilities in file transfer tools such as Accellion FTA, GoAnywhere MFT, MOVEit Transfer, and Cleo software.
In April 2024, CrushFTP also fixed another actively exploited zero-day (CVE-2024-4040), which allowed unauthenticated attackers to bypass virtual file system restrictions and download system files. CrowdStrike linked those attacks to politically motivated cyber-espionage campaigns targeting U.S. organizations.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
