Critical Bug in CrushFTP Allows for Administrative Access

📟 News

Date: 22/07/2025

The developers of CrushFTP warn about a zero-day vulnerability (CVE-2025-54309), which hackers are already exploiting. This issue allows for administrative access to vulnerable servers through the web interface.

According to the developers, the first attacks were detected on July 18, 2025, although the exploitation of the vulnerability likely began the day before.

According to CrushFTP CEO Ben Spink, a recent update to the product inadvertently patched this 0-day vulnerability. Although the patch was initially aimed at addressing a different issue and disabling the rarely used AS2 over HTTP(S) feature by default. The company believes that hackers reversed the CrushFTP code, discovered the new bug, and began exploiting it on devices where the “accidental patch” has not yet been applied.

“We believe that this bug was present in builds until approximately July 1, 2025. The issue has already been resolved in the current versions of CrushFTP,” the company reports. “The attack vector utilized HTTP(S). We were addressing another issue related to AS2 over HTTP(S) and at the time did not realize that the bug could be exploited in a different way. It seems hackers noticed this change in the code and found a way to exploit the previous vulnerability.”

It is reported that the attack is carried out through the program’s web interface in versions up to CrushFTP 10.8.5 and CrushFTP 11.3.4_23. It is unclear when exactly these versions were released, but the developers state that it happened around July 1.

Administrators who suspect that their systems have been compromised are now advised to restore the default user configuration from a backup made before July 16. Signs of compromise include:

  • suspicious changes in MainUsers/default/user.XML, especially recent modifications and the presence of the last_logins field;
  • new administrator-level usernames that appear as a random string of characters (e.g., 7a0d26089ac528941bf8cb998d97f408m).

The developers note that most often they observe modifications to the default user, and this is the main indicator of compromise.

“Overall, we observed that it was the default user that was most frequently modified. Moreover, it was altered in such a way that the configuration became formally invalid, yet it still worked for the attacker and no one else,” reported Spink.

At the moment, it is unknown whether attacks on CrushFTP have been used for data theft or malware distribution. However, secure file transfer solutions have long been priority targets for attackers and are especially attractive to ransomware operators. For instance, the Clop ransomware is known for frequently spreading through vulnerabilities in other popular enterprise products, including MOVEit Transfer, GoAnywhere MFT, and Accellion FTA.

Related posts:
2025.01.30 — Hackers use vulnerabilities in SimpleHelp RMM to attack corporate networks

Experts believe that recently patched vulnerabilities in SimpleHelp Remote Monitoring and Management (RMM) were used by attackers to gain initial access to corporate networks. A number…

Full article →
2025.01.27 — YouTube plays hour-long ads to users with ad blockers

Users complain that YouTube plays very long unskippable ads. Sometimes such ads are longer than the video the person is watching. The issue was raised…

Full article →
2025.02.12 — 2.8 million IP addresses used to brute-force network devices

The Shadowserver Foundation warns of a massive web login brute-forcing attacks targeting nearly 2.8 million IP addresses per day. Unknown attackers are seeking…

Full article →
2025.04.01 — Hackers abuse MU plugins to inject malicious payloads to WordPress

According to Sucuri, hackers store malicious code in the MU-plugins (Must-Use Plugins) directory in WordPress and execute it while remaining undetected. The technique was first discovered…

Full article →
2025.04.25 — Asus patches vulnerability in AMI's MegaRAC enabling attackers to brick servers

Asus released patches for the CVE-2024-54085 vulnerability that allows attackers to seize and disable servers. The security hole affects the American Megatrends International (AMI) MegaRAC Baseboard Management…

Full article →
2025.04.10 — April updates released by Microsoft cause issues with Windows Hello

Microsoft warns that some Windows users who have installed the April updates might be unable to login to their Windows services using Windows Hello facial recognition…

Full article →
2025.03.26 — Cloudflare to block all unencrypted traffic to its APIs

According to Cloudflare, effective immediately, only secure HTTPS connections to api.cloudflare.com will be accepted; while all HTTP ports are to be closed. The purpose of this decision…

Full article →
2025.01.25 — 18,000 script kiddies have been infected with backdoor via XWorm RAT builder

According to CloudSEK analysts, malefactors attack novice hackers using a fake malware builder. Script kiddies' systems become infected with a backdoor that steals data and subsequently…

Full article →
2025.04.07 — Critical RCE vulnerability discovered in Apache Parquet

All versions of Apache Parquet up to and including 1.15.0 are affected by a critical remote code execution (RCE) vulnerability whose CVSS score is 10 out…

Full article →
2025.02.25 — More than 100,000 users downloaded SpyLend malware from Google Play Store

According to Cyfirma, a malicious Android app called SpyLend was available on the official Google Play Store for some time and has been downloaded from there…

Full article →