Crushftp’s newly disclosed critical security flaws are subject to aggressive exploitation in the wild. CVE Identifier assigned CVE-2025-54309The CVSS score for the vulnerability is 9.0.
“If the DMZ proxy feature is not used, 10.8.5 and 11.3.4_23 and 10.8.5 and 11 before 11.8.5 and 11 before 11.3.4_23 and 11 before 11.3.4_23 would misunderstand AS2 verification, which will allow remote attackers to gain administrator access via HTTP,” according to NIST’s National Ulnerability Database (NVD) vulnerability description.
crushftp said in its recommendation it first detected zero-day exploitation of wild vulnerability at 9am on July 18, 2025, but admitted that it could have been weaponized much earlier.
“The attack vector was HTTP about how we could leverage our servers,” the company said. “We fixed another issue related to AS2 in HTTP (S) (S) didn’t realize that previous bugs could be used like this exploit. The hackers obviously saw the code changes and found a way to exploit the previous bug.”
CrushFTP is widely used in government, healthcare and corporate environments to manage sensitive file transfers, making administrative access particularly dangerous. A compromised instance allows an attacker to remove data, inject backdoors, or pivot into internal systems that rely on the server for reliable exchanges. Without DMZ isolation, the exposed instance becomes a single point of failure.
The company said an unknown threat actor behind the malicious activity managed to reverse engineer the source code and discovered a new flaw in the target device that has not yet been updated to the latest version. CVE-2025-54309 is believed to have existed in the crushFTP build prior to July 1st.
CrushFTP has also released the Next Indicator for Compromise (IOCS) –
- The default user has administrator access
- Long random user ID created (e.g. 7A0D26089AC528941BF8CB998D97F408M)
- Other new usernames created in Admin Access
- The file “mainusers/default/user.xml” has recently changed and has the “last_logins” value
- End-user web interface button disappears and users previously identified as normal users have an admin button
Security teams investigating possible compromises should check user.xml changes time, correlate admin login events with public IP, and check for changes to audit permissions on high-value folders. It is also essential to look for suspicious patterns in the access logs related to newly created user or unexplained administrator role escalation.
As a mitigation, the company recommends that users restore previous default users from the backup folder and review the upload/download of reports for suspicious transfer signs. Other steps –
- Limit the IP addresses used for administrative actions
- AlowList IPS that can connect to CrushFTP servers
- Switch to a DMZ CrushFTP instance for enterprise use
- Make sure auto-update is enabled
At this stage, the exact nature of the attack that exploits the flaws is unknown. At the beginning of April this year, another security flaw in the same solution (CVE-2025-31161, CVSS score: 9.8) was weaponized to provide Mesh Central Agents and other malware.
It was also revealed last year that the second important vulnerability affecting CrushFTP (CVE-2024-4040, CVSS score: 9.8) was exploited by threat actors by targeting multiple US entities.
With multiple high-intensity CVEs being exploited over the past year, CrushFTP has emerged as a recurring target in advanced threat campaigns. Organizations should view this pattern as part of a broader threat exposure assessment, along with zero-day detection workflows that include patch rhythms, third-party file transfer risks, and remote access tools and credential compromises.
