A critical zero-day vulnerability in CrushFTP servers has been actively exploited by attackers since July 18th, 2025, with security researchers confirming widespread attacks targeting unpatched installations.
The vulnerability, designated CVE-2025-54309, affects all CrushFTP version 10 installations below 10.8.5 and version 11 installations below 11.3.4_23, potentially exposing thousands of file transfer servers worldwide.
Hackers successfully reverse-engineered recent code changes to exploit a previously fixed bug, demonstrating sophisticated attack techniques that leveraged HTTP and HTTPS protocols to compromise vulnerable systems.
The exploitation campaign was first detected on July 18th at 9:00 AM Central Standard Time, though security analysts believe the attacks may have commenced up to 24 hours earlier while system administrators were offline.
The sophisticated nature of the attack involved hackers reverse-engineering CrushFTP’s source code modifications to identify exploitable vulnerabilities in older builds.
The attack vector utilized HTTP and HTTPS protocols to compromise servers, exploiting a bug that existed in builds created prior to July 1st, 2025.
Ironically, the vulnerability became apparent to attackers only after CrushFTP developers had already addressed what they believed was a separate AS2-related issue in their HTTP implementation.
The development team had not initially recognized that their previous bug fix could be circumvented through alternative exploitation methods.
This incident highlights the growing trend of attackers monitoring software repositories and security updates to identify potential vulnerabilities in systems that haven’t implemented the latest patches.
The hackers demonstrated advanced technical capabilities by analyzing code changes and developing functional exploits based on historical vulnerabilities.
CrushFTP 0-Day Vulnerability
The vulnerability affects a broad range of CrushFTP installations, specifically targeting all version 10 releases below 10.8.5 and version 11 releases below 11.3.4_23.
Enterprise customers utilizing DMZ CrushFTP configurations with front end proxy servers remained protected from this particular attack vector.
Organizations that maintained current patching schedules were completely unaffected by the exploitation campaign, reinforcing the critical importance of regular software updates.
The latest versions of CrushFTP already contained the necessary security fixes, having been implemented as part of routine maintenance rather than emergency response measures.
Upon discovery of the active exploitation, security teams observed that attackers were deploying previously used scripts from earlier CrushFTP exploits, suggesting an organized campaign utilizing established toolsets and methodologies.
These backup files require third-party extraction tools such as 7-Zip, WinRAR, or macOS native utilities, as Windows’ built-in extraction cannot process the archive format properly.
Future Protection Strategies
Security experts recommend rolling back system configurations to July 16th to ensure complete remediation of any potential compromise that may have occurred during the initial attack phases.
Organizations suspecting compromise should immediately restore default user configurations from backup archives located in the CrushFTP/backup/users/MainUsers/default directory.
Administrators should comprehensively review all upload and download reports to identify suspicious file transfers during the exploitation window.
Moving forward, CrushFTP recommends implementing several protective measures: restricting administrative access to specific IP addresses, implementing comprehensive IP whitelisting for server connections, deploying DMZ configurations for enterprise environments, and enabling automatic update mechanisms through the Preferences and Updates interface.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
.webp?w=356&resize=356,220&ssl=1 "Microsoft Teams Blocking Users from Accessing Embedded Office Documents")
