CrushFTP is warning about a zero-day vulnerability (CVE-2025-54309) that allows attackers to gain administrative access via the web interface on vulnerable servers. The vulnerability was first detected on July 18th, but it may have been exploited earlier. A prior fix inadvertently blocked this vulnerability, but threat actors reverse-engineered the software and began exploiting it on unpatched systems. Systems kept up to date are not vulnerable. Indicators of compromise include unexpected entries in user.XML and new, unrecognized admin-level usernames. It is unclear if the attacks were used for data theft or to deploy malware, but similar platforms have been targeted by ransomware gangs for mass data theft and extortion attacks.
TPRM report: https://scoringcyber.rankiteo.com/company/crushftp
"id": "cru709072025",
"linkid": "crushftp",
"type": "Vulnerability",
"date": "7/2025",
"severity": "25",
"impact": "1",
"explanation": "Attack without any consequences"
{'affected_entities': [{'industry': 'File Transfer Software',
'name': 'CrushFTP',
'type': 'Enterprise'}],
'attack_vector': 'HTTP(S) via web interface',
'date_detected': '2023-07-18T09:00:00-05:00',
'description': 'Threat actors are actively exploiting a zero-day '
'vulnerability in CrushFTP, allowing attackers to gain '
'administrative access via the web interface on vulnerable '
'servers.',
'impact': {'systems_affected': ['CrushFTP servers prior to v10.8.5 and '
'v11.3.4_23']},
'initial_access_broker': {'entry_point': 'Web interface via HTTP(S)'},
'post_incident_analysis': {'corrective_actions': ['Restore default user '
'configuration from a '
'backup dated before July '
'16th',
'Regular and frequent '
'patching'],
'root_causes': ['Reverse engineering of software '
'to discover the bug',
'Exploitation of vulnerability in '
'devices not up-to-date on '
'patches']},
'recommendations': ['Regular and frequent patching',
'Use of a DMZ instance',
'IP whitelisting for server and admin access',
'Enabling automatic updates'],
'references': [{'source': 'BleepingComputer'}],
'response': {'containment_measures': ['Restore default user configuration '
'from a backup dated before July 16th',
'Review upload and download logs for '
'unusual activity',
'IP whitelisting for server and admin '
'access',
'Use of a DMZ instance',
'Enabling automatic updates']},
'title': 'CrushFTP Zero-Day Vulnerability Exploitation (CVE-2025-54309)',
'type': 'Zero-Day Exploitation',
'vulnerability_exploited': 'CVE-2025-54309'}