Attackers reverse-engineered code to hijack outdated systems; patch issued before exploit was discovered
Enterprise file transfer platform CrushFTP is sounding the alarm over an actively exploited zero-day vulnerability—CVE-2025-54309—that allows attackers to gain full administrative access through the software’s web interface on outdated servers.
First detected on July 18 at 9 AM CST, the exploit may have been in use even earlier, potentially targeting vulnerable CrushFTP instances that had not been updated to the latest version.
CrushFTP is widely used by organizations to manage secure file transfers over FTP, SFTP, HTTP/S, and similar protocols. The zero-day affects versions prior to v10.8.5 and v11.3.4_23, which were released around July 1, according to the vendor.
“We believe this bug was in builds prior to July 1st time period roughly… the latest versions of CrushFTP already have the issue patched,”
— CrushFTP advisory
CrushFTP believes the attackers reverse-engineered the software and discovered this new vulnerability on their own. While an earlier patch for an unrelated issue involving AS2 functionality in HTTP/S incidentally mitigated this exploit, it wasn’t specifically designed to do so.
“A prior fix by chance happened to block this vulnerability too, but the prior fix was targeting a different issue,”
— Ben Spink, CEO of CrushFTP
Exploitation Details and Who’s Affected
The attack vector used is HTTP/S, targeting CrushFTP’s web interface. Organizations that remained current with software updates were unaffected, as the exploit only impacts builds prior to July 1.
CrushFTP emphasized that up-to-date deployments are not vulnerable. Systems utilizing a DMZ (demilitarized zone) CrushFTP instance to isolate the main server are also believed to be safe from exploitation.
Still, cybersecurity firm Rapid7 issued a caution, warning:
“Out of an abundance of caution, Rapid7 advises against relying on a demilitarized zone (DMZ) as a mitigation strategy.”
While it’s not yet confirmed whether the attackers used the flaw for data theft or malware deployment, the incident is raising concerns due to a growing trend of managed file transfer (MFT) solutions being exploited for large-scale breaches.
Notably, ransomware groups like Clop have previously used zero-days in similar platforms—including MOVEit Transfer, Cleo, GoAnywhere MFT, and Accellion FTA—to exfiltrate sensitive enterprise data and launch extortion campaigns.
Indicators of Compromise (IoCs) and Mitigation Guidance
CrushFTP has outlined several IoCs to help administrators identify compromised systems. Key indicators include:
- Unexpected modifications to
MainUsers/default/user.XML, especially with alast_loginsfield - Unknown admin-level accounts such as:
7a0d26089ac528941bf8cb998d97f408m
Ben Spink noted the most common sign has been a tampered default user entry:
“In general we have seen the default user modified as the main IOC… modified in very invalid ways that were still usable for the attacker but no one else.”
Recommended Mitigation Steps:
- Restore the default user configuration from a backup prior to July 16
- Review upload and download logs for unusual activity
- Implement IP whitelisting for server and admin access
- Use a DMZ instance if applicable
- Enable automatic updates for the CrushFTP application
Enterprise administrators are urged to verify their server build dates and ensure immediate patching if running outdated versions. CrushFTP reiterates that regular patching remains the strongest defense against zero-day exploits.
