A critical zero-day vulnerability in CrushFTP enterprise file transfer software is being actively exploited, allowing threat actors to gain administrative control over vulnerable servers. Tracked as CVE-2025-54309, the flaw enables attackers to bypass security via the web interface in versions prior to CrushFTP v10.8.5 and v11.3.4_23—software builds released roughly before July 1, 2025.

CrushFTP CEO Ben Spink confirmed to BleepingComputer that exploitation began as early as July 17, with definitive attacks detected on July 18. Intriguingly, the vulnerability was inadvertently patched in recent updates while fixing an unrelated AS2 protocol issue.

"A prior fix by chance happened to block this vulnerability too," Spink stated. "Hackers apparently saw our code change and figured out how to exploit the prior bug."

Systems updated since early July are protected, highlighting the critical importance of prompt patching. Organizations running outdated instances face severe risks: attackers can create hidden admin accounts (e.g., usernames like 7a0d26089ac528941bf8cb998d97f408m), modify the MainUsers/default/user.XML configuration, and potentially exfiltrate sensitive data.

Key Mitigation Steps:

  1. Immediately update to the latest CrushFTP version.
  2. Audit user.XML files for unexpected admin accounts or recent modifications.
  3. Restore pre-July 16 configurations from backups if compromised.
  4. Implement IP whitelisting for administrative access.

While CrushFTP suggested DMZ deployments could mitigate risk, cybersecurity firm Rapid7 disputed this:

"Out of an abundance of caution, Rapid7 advises against relying on a demilitarized zone (DMZ) as a mitigation strategy."

Managed file transfer (MFT) platforms like CrushFTP are high-value targets—historically exploited by ransomware groups like Clop to steal data from victims including MOVEit, GoAnywhere, and Accellion. Though current attack motives remain unconfirmed, the pattern suggests potential data theft or extortion campaigns. For administrators, this zero-day reinforces a brutal truth: delayed patching in MFT ecosystems is an existential risk.

Source: BleepingComputer