Over 1,000 CrushFTP Servers Vulnerable to Active Hijacking Campaign

Security researchers have sounded the alarm as more than 1,000 CrushFTP servers remain exposed to a critical vulnerability, tracked as CVE-2025-54309, enabling attackers to hijack administrative controls. The flaw stems from improper AS2 protocol validation in CrushFTP versions below 10.8.5 and 11.3.4_23, allowing unauthenticated threat actors to bypass security measures and gain full access to the web interface. CrushFTP confirmed the bug is under active exploitation, with initial attacks observed on July 19th—though evidence suggests they may have begun earlier. This incident marks yet another high-risk scenario for organizations relying on managed file transfer (MFT) solutions, which have become prime targets for ransomware groups seeking sensitive data.

The Vulnerability and Its Exploitation

CVE-2025-54309 exploits a weakness in how CrushFTP handles AS2 (Applicability Statement 2) message validation, a protocol commonly used for secure B2B data exchanges. Attackers can manipulate this process to escalate privileges to admin level, potentially compromising entire servers. In its advisory, CrushFTP emphasized that the flaw was reverse-engineered from existing code, urging immediate updates:

"July 18th, 9AM CST there is a 0-day exploit seen in the wild. Possibly it has been going on for longer, but we saw it then... Anyone who had kept up to date was spared from this exploit."

Shadowserver, a threat monitoring platform, has identified approximately 1,040 vulnerable instances globally and is actively notifying affected organizations. The ongoing attacks mirror patterns seen in previous MFT breaches, where unpatched systems served as gateways for data exfiltration or ransomware deployment. CrushFTP advises administrators to review upload/download logs for anomalies, enable automatic updates, and restrict server access via IP whitelisting to mitigate risks.

Broader Implications for Enterprise Security

This incident is not isolated—CrushFTP faced a similar zero-day (CVE-2024-4040) just last year, which allowed attackers to escape virtual file systems and access sensitive system files. CrowdStrike linked those breaches to politically motivated espionage, underscoring how MFT platforms like CrushFTP, Accelion, and MOVEit are increasingly weaponized by advanced threat actors. The Clop ransomware gang, for instance, has repeatedly exploited such vulnerabilities to steal data from high-profile targets. With over a thousand servers still unpatched, the window for attack remains wide open, posing significant operational and compliance risks.

The persistence of these exploits highlights a troubling trend: despite vendor warnings, delayed patching continues to leave critical infrastructure exposed. As cybersecurity professionals, we must prioritize not just reactive measures but proactive strategies—such as DMZ isolation and continuous log monitoring—to defend against evolving supply chain threats. In an era where file transfer systems underpin global business operations, resilience hinges on treating every update as a frontline defense.

Source: BleepingComputer