The developers of CrushFTP warn about a zero-day vulnerability (CVE-2025-54309), which hackers are already exploiting. This issue allows for administrative access to vulnerable servers through the web interface.
According to the developers, the first attacks were detected on July 18, 2025, although the exploitation of the vulnerability likely began the day before.
According to CrushFTP CEO Ben Spink, a recent update to the product inadvertently patched this 0-day vulnerability. Although the patch was initially aimed at addressing a different issue and disabling the rarely used AS2 over HTTP(S) feature by default. The company believes that hackers reversed the CrushFTP code, discovered the new bug, and began exploiting it on devices where the “accidental patch” has not yet been applied.
“We believe that this bug was present in builds until approximately July 1, 2025. The issue has already been resolved in the current versions of CrushFTP,” the company reports. “The attack vector utilized HTTP(S). We were addressing another issue related to AS2 over HTTP(S) and at the time did not realize that the bug could be exploited in a different way. It seems hackers noticed this change in the code and found a way to exploit the previous vulnerability.”
It is reported that the attack is carried out through the program’s web interface in versions up to CrushFTP 10.8.5 and CrushFTP 11.3.4_23. It is unclear when exactly these versions were released, but the developers state that it happened around July 1.
Administrators who suspect that their systems have been compromised are now advised to restore the default user configuration from a backup made before July 16. Signs of compromise include:
- suspicious changes in MainUsers/default/user.XML, especially recent modifications and the presence of the last_logins field;
- new administrator-level usernames that appear as a random string of characters (e.g., 7a0d26089ac528941bf8cb998d97f408m).
The developers note that most often they observe modifications to the default user, and this is the main indicator of compromise.
“Overall, we observed that it was the default user that was most frequently modified. Moreover, it was altered in such a way that the configuration became formally invalid, yet it still worked for the attacker and no one else,” reported Spink.
At the moment, it is unknown whether attacks on CrushFTP have been used for data theft or malware distribution. However, secure file transfer solutions have long been priority targets for attackers and are especially attractive to ransomware operators. For instance, the Clop ransomware is known for frequently spreading through vulnerabilities in other popular enterprise products, including MOVEit Transfer, GoAnywhere MFT, and Accellion FTA.
2025.03.16 — Researchers force DeepSeek to write malware
According to Tenable, the AI chatbot DeepSeek R1 from China can be used to write malware (e.g. keyloggers and ransomware). DeepSeek was released in January 2025 and caused a stir…
Full article →
2025.02.12 — 2.8 million IP addresses used to brute-force network devices
The Shadowserver Foundation warns of a massive web login brute-forcing attacks targeting nearly 2.8 million IP addresses per day. Unknown attackers are seeking…
Full article →
2025.04.22 — Scammers pose as FBI IC3 specialists, offer 'assistance' to fraud victims
According to the FBI, scammers impersonating employees of the FBI Internet Fraud Complaint Center (IC3) contact fraud victims offering them 'assistance' in getting their money…
Full article →
2025.02.17 — Dutch police seize 127 servers belonging to Zservers hosting provider
Following the introduction of international sanctions against Zservers, Russian 'bulletproof' hosting services provider, the Dutch National Police (Politie) shut down and seized 127 servers belonging to Zservers/XHost.…
Full article →
2025.02.25 — More than 100,000 users downloaded SpyLend malware from Google Play Store
According to Cyfirma, a malicious Android app called SpyLend was available on the official Google Play Store for some time and has been downloaded from there…
Full article →
2025.04.30 — Coinbase fixes 2FA bug that made customers panic
Cryptocurrency exchange Coinbase has fixed a bug in its Account Activity logs that caused customers to think their credentials were compromised. Earlier this month, BleepingComputer…
Full article →
2025.02.28 — Qualcomm extends support for Android devices to 8 years
Qualcomm Technologies announced its collaboration with Google with the purpose to provide extended support for OEM devices running on company's flagship chipsets. This partnership will…
Full article →
2025.02.07 — 768 vulnerabilities were exploited by hackers in 2024
According to VulnCheck, 768 CVEs were registered as exploited in real-life attacks in 2024. This is 20% greater compared to 2023 when hackers exploited 639 vulnerabilities. Interestingly,…
Full article →
2025.04.07 — Critical RCE vulnerability discovered in Apache Parquet
All versions of Apache Parquet up to and including 1.15.0 are affected by a critical remote code execution (RCE) vulnerability whose CVSS score is 10 out…
Full article →
2025.02.08 — Hackers exploit RCE vulnerability in Microsoft Outlook
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned Federal Civilian Executive Branch (FCEB) Agencies that they have to secure their systems from ongoing…
Full article →