The developers of CrushFTP warn about a zero-day vulnerability (CVE-2025-54309), which hackers are already exploiting. This issue allows for administrative access to vulnerable servers through the web interface.
According to the developers, the first attacks were detected on July 18, 2025, although the exploitation of the vulnerability likely began the day before.
According to CrushFTP CEO Ben Spink, a recent update to the product inadvertently patched this 0-day vulnerability. Although the patch was initially aimed at addressing a different issue and disabling the rarely used AS2 over HTTP(S) feature by default. The company believes that hackers reversed the CrushFTP code, discovered the new bug, and began exploiting it on devices where the “accidental patch” has not yet been applied.
“We believe that this bug was present in builds until approximately July 1, 2025. The issue has already been resolved in the current versions of CrushFTP,” the company reports. “The attack vector utilized HTTP(S). We were addressing another issue related to AS2 over HTTP(S) and at the time did not realize that the bug could be exploited in a different way. It seems hackers noticed this change in the code and found a way to exploit the previous vulnerability.”
It is reported that the attack is carried out through the program’s web interface in versions up to CrushFTP 10.8.5 and CrushFTP 11.3.4_23. It is unclear when exactly these versions were released, but the developers state that it happened around July 1.
Administrators who suspect that their systems have been compromised are now advised to restore the default user configuration from a backup made before July 16. Signs of compromise include:
- suspicious changes in MainUsers/default/user.XML, especially recent modifications and the presence of the last_logins field;
- new administrator-level usernames that appear as a random string of characters (e.g., 7a0d26089ac528941bf8cb998d97f408m).
The developers note that most often they observe modifications to the default user, and this is the main indicator of compromise.
“Overall, we observed that it was the default user that was most frequently modified. Moreover, it was altered in such a way that the configuration became formally invalid, yet it still worked for the attacker and no one else,” reported Spink.
At the moment, it is unknown whether attacks on CrushFTP have been used for data theft or malware distribution. However, secure file transfer solutions have long been priority targets for attackers and are especially attractive to ransomware operators. For instance, the Clop ransomware is known for frequently spreading through vulnerabilities in other popular enterprise products, including MOVEit Transfer, GoAnywhere MFT, and Accellion FTA.