A critical zero-day vulnerability in CrushFTP enterprise file transfer software is being actively weaponized by threat actors to hijack servers, security teams warned this week. Tracked as CVE-2025-54309, the flaw enables attackers to gain administrative privileges through the web interface of unpatched systems—putting sensitive file transfer operations at immediate risk.

According to CrushFTP's advisory and CEO Ben Spink, exploitation began around July 16-18, 2025, with attackers reverse-engineering the software to discover the flaw. The vulnerability affects versions prior to CrushFTP v10.8.5 and v11.3.4_23, though systems updated after July 1 are protected due to an earlier patch that inadvertently blocked this attack vector.

"We had fixed a different issue related to AS2 in HTTP(S) not realizing that prior bug could be used like this exploit was. Hackers apparently saw our code change and figured out a way to exploit the prior bug," Spink told BleepingComputer.

Critical Mitigation Steps

  • Patch immediately: Upgrade to the latest CrushFTP version (v10.8.5+ or v11.3.4_23+)
  • Audit configurations: Check MainUsers/default/user.XML for unrecognized admin accounts (e.g., 7a0d26089ac528941bf8cb998d97f408m) or recent modifications
  • Monitor logs: Review upload/download activity for anomalies
  • Restrict access: Implement IP whitelisting for admin interfaces

The DMZ Debate

While CrushFTP suggested using DMZ instances as protection, Rapid7 issued a stark warning:

"Out of an abundance of caution, Rapid7 advises against relying on a demilitarized zone (DMZ) as a mitigation strategy."

Broader Threat Landscape

Managed file transfer (MFT) solutions like CrushFTP remain high-value targets for ransomware groups—notably Clop, which previously exploited zero-days in MOVEit, GoAnywhere, and Accellion. Though current attack motives are unclear, the pattern suggests potential data theft or extortion campaigns.

This incident underscores the fragility of software supply chains and the critical need for continuous patching. As Spink emphasized: "Anyone who had kept up to date was spared." For enterprises handling sensitive data through file transfer systems, proactive updates aren’t just best practice—they’re the frontline defense against escalating server hijack threats.