A vulnerability in older versions of CrushFTP is being actively exploited. Only users who have recently updated are unaffected.
CrushFTP reports that hackers are exploiting a zero-day vulnerability (CVE-2025-54309) in the platform. CrushFTP is a commercial file transfer solution with support for web-based management, user management, and secure protocols.
Attacks have been observed in the wild since July 18. It is possible that the bug was used by hackers earlier, but there is no data on that. The vulnerability was discovered in older versions of the software and has been patched since early July.
Old Versions
The attack exploits a flaw that can be triggered via HTTP(S). According to CrushFTP, it is a bug that was previously resolved, but the full impact was not clear at the time. Hackers analyzed recent code changes and found a way to exploit the old bug to carry out an attack. Customers who switched to a new version in time were spared. This again illustrates the importance of timely updates.
The following versions are vulnerable:
- All version 10 builds older than 10.8.5
- All version 11 builds older than 11.3.4_23
Enterprise customers using a separate DMZ instance of CrushFTP are not affected. The manufacturer advises strictly following standard practices around patch management.
Recovery and Protection
If you suspect your server is compromised, you can restore the default user via the backup folder. This involves replacing the user.XML file with a previously saved version. The supplier recommends reverting to a backup from before July 16 to ensure no malicious changes have occurred.
read also
Hackers are Attacking Microsoft SharePoint Worldwide via Zero-Day: Patch Now
Furthermore, CrushFTP urges users to check for suspicious actions. Unusual user IDs or recent changes to the default user profile may indicate a breach. Hackers may also have attempted to alter the displayed software version to avoid detection.
Finally, CrushFTP suggests several preventive measures: restrict IP access, use a DMZ setup in enterprise environments, and enable automatic updates. Users can also register for urgent notifications via the company’s support site.