CrushFTP is warning that threat actors are actively exploiting a zero-day vulnerability tracked as CVE-2025-54309, which allows attackers to gain administrative access via the web interface on vulnerable servers.
CrushFTP is an enterprise file transfer server used by organizations to securely share and manage files over FTP, SFTP, HTTP/S, and other protocols.
According to CrushFTP, threat actors were first detected exploiting the vulnerability on July 18th at 9AM CST, though it may have begun in the early hours of the previous day.
CrushFTP CEO Ben Spink told BleepingComputer that they had previously fixed a vulnerability related to AS2 in HTTP(S) that inadvertantly blocked this zero-day flaw as well.
"A prior fix by chance happened to block this vulnerability too, but the prior fix was targeting a different issue and turning off some rarely used feature by default," Spink told BleepingComputer.
CrushFTP says it believes threat actors reverse engineered their software and discovered this new bug and had begun exploiting it on devices that are not up-to-date on their patches.
"We believe this bug was in builds prior to July 1st time period roughly...the latest versions of CrushFTP already have the issue patched," reads CrushFTP's advisory.
"The attack vector was HTTP(S) for how they could exploit the server. We had fixed a different issue related to AS2 in HTTP(S) not realizing that prior bug could be used like this exploit was. Hackers apparently saw our code change, and figured out a way to exploit the prior bug.
"As always we recommend regularly and frequent patching. Anyone who had kept up to date was spared from this exploit."
The attack occurs via the software's web interface in versions prior to CrushFTP v10.8.5 and CrushFTP v11.3.4_23. It is unclear when these versions were released, but CrushFTP says around July 1st.
... continue reading