Unknown attackers have exploited a vulnerability (CVE-2025‑54309) in the CrushFTP enterprise file-transfer server solution to gain administrative access to vulnerable deployments.
It’s currently unclear what the attackers are using this access for, but data theft looks most likely.
According to the Shadowserver Foundation, Shadowserver Foundation reports that around 1,040 CrushFTP instances remain exposed and unpatched against CVE-2025-54309.
It remains unclear how many systems attackers have compromised since the start of the campaign. Organizations using outdated CrushFTP versions should verify if attackers have breached their systems.
About CVE-2025‑54309
On Friday (July 18), the CrushFTP team warned about attackers using a 0-day exploit, after apparently reverse engineering a recent update and discovering a bug that the maintainers had already fixed.
CVE-2025-54309 stems from CrushFTP mishandling the validation of Applicability Statement 2 (AS2) and allows remote, unauthenticated attackers to obtain admin access to exposed CrushFTP web interfaces via HTTPS.
“We believe this bug was in builds prior to July 1st time period roughly…the latest versions of CrushFTP already have the issue patched,” the maintainers said.
“We had fixed a different issue related to AS2 in HTTP(S) not realizing that prior bug could be used like this exploit was.”
CVE-2025-54309 affects:
- CrushFTP 10 prior to v10.8.5
- CrushFTP 11 prior to v11.3.4_23
What should you do?
Organizations that quickly upgraded to the latest CrushFTP version likely avoided breaches.
CrushFTP maintainers say enterprise customers using a DMZ front-end avoided the exploit,
CrushFTP developers have outlined indicators of compromise enterprises should look for when checking whether their instance(s) have been successfully targeted, advice on what to do if they find out they’ve been affected, and advice on how to minimize the risk of their instances getting compromised in the future.
Since April 2024, attackers have exploited two vulnerabilities in CrushFTP (CVE-2024-4040 and CVE-2025-2825), as well as zero and n-day vulnerabilities in other popular file transfer solutions used by businesses.
Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!
<!–
–>
