A new zero-day vulnerability in CrushFTP file transfer servers is being actively exploited by cybercriminals, compromising systems around the world. Tracked as CVE-2025-54309, the CrushFTP zero-day vulnerability was first observed in active exploitation on July 18, 2025.
This zero-day vulnerability in CrushFTP is particularly dangerous due to the stealthy nature of the attack vector, which leverages both HTTP and HTTPS protocols to infiltrate vulnerable servers. This automatically makes internet-facing instances of CrushFTP especially susceptible to unauthorized access if not promptly patched.
CVE-2025-54309: Vulnerability Details and Origins
The attackers behind CVE-2025-54309 reverse-engineered CrushFTP’s codebase to uncover and weaponize a flaw that had technically been addressed in prior updates but remained exploitable in outdated installations. This means organizations that have not kept up with regular patching cycles are now vulnerable to this active threat.
In an official statement, CrushFTP noted, “Hackers apparently reverse engineered our code and found some bug which we had already fixed. They are exploiting it for anyone who has not stayed current on new versions.” The company believes the exploited bug existed in builds prior to July 1, 2025, and that newer versions had already silently patched the issue during unrelated updates to AS2 functionality over HTTP(S).
Affected Versions
The vulnerability affects the following builds:
- Version 10: All versions below 10.8.5
- Version 11: All versions below 11.3.4_23
Users running these versions who haven’t updated may already be compromised, especially if their servers are directly accessible over the internet.
Signs of Compromise
CrushFTP has released a list of indicators to help system administrators detect possible exploitation:
- Presence of “last_logins” entries in user.XML (not normally present)
- Recent modification timestamps on the default user.XML file
- The default user unexpectedly has admin rights
- Strange, long random user IDs (e.g., 7a0d26089ac528941bf8cb998d97f408m)
- Unknown admin-level accounts are being created
- Disappearance of user interface buttons, or unexpected Admin buttons on user accounts
- The altered version displays used by attackers to mask the true server state
Administrators are also being warned that threat actors are reusing scripts from previous exploits to deploy additional payloads on affected systems.
Remediation and Recovery
Organizations suspecting a breach are urged to immediately restore the default user profile from a backup created before July 16, 2025. The backup is located in:
swift
CopyEdit
CrushFTP/backup/users/MainUsers/default
Because these zip files may not be compatible with native Windows extraction tools, users are advised to use software like 7-Zip, WinRAR, macOS Archive Utility, or WinZip.
If backups are unavailable, deleting the default user will trigger CrushFTP to recreate it, though any custom configurations will be lost.
Preventive Measures and Recommendations
To mitigate future risks, CrushFTP recommends the following actions:
- Whitelist IP addresses that can access the server
- Restrict administration access by IP
- Deploy a DMZ-based CrushFTP proxy in enterprise environments
- Enable automatic updates within the server preferences
- Sign up for emergency notifications via CrushFTP Support
The company emphasized the importance of proactive patching: “Anyone who had kept up to date was spared from this exploit.”
