Threat actors are actively exploiting a critical zero-day vulnerability (CVE-2025-54309) in CrushFTP file transfer servers, granting administrative access via web interfaces. Unpatched systems face immediate risk of compromise, with evidence suggesting attacks began as early as July 16. Enterprise security teams must prioritize updates to prevent data theft and system takeover.