CVE-2025-54309: CrushFTP Targeted in Active Exploits Due to Unpatched Zero-Day Vulnerability

CrushFTP, a widely used secure file transfer server, has issued an urgent advisory regarding a critical zero-day vulnerability, tracked as CVE-2025-54309 (CVSS 9.0), that has been actively exploited in the wild. The flaw, which affects multiple outdated builds, allows remote attackers to exploit CrushFTP servers via the HTTP(S) interface.

“July 18th, 9AM CST there is a 0-day exploit seen in the wild. Possibly it has been going on for longer, but we saw it then,” the advisory states.

According to the CrushFTP team, attackers likely reverse-engineered recent code changes, identified a previously patched but overlooked bug, and weaponized it against unpatched servers.

“Hackers apparently saw our code change, and figured out a way to exploit the prior bug,” the developers explain.

While the company had already fixed the bug in newer builds, it was not initially recognized as exploitable. The attackers used the HTTP(S) vector to launch their payloads, reusing scripts from previous CrushFTP compromises to deploy malware or manipulate server behavior.

“Hackers re-used scripts from prior exploits to deploy things on CrushFTP servers,” the advisory warns.

The vulnerability impacts:

• All version 10 builds below 10.8.5
• All version 11 builds below 11.3.4_23

Enterprise customers using a DMZ CrushFTP instance in front of their main server were reportedly not affected, due to the isolation architecture.

Administrators are urged to review their systems for compromise indicators, including:

• Recent modifications to MainUsers/default/user.XML
• Presence of “last_logins” in user.XML (not normal behavior)
• Creation of long random user IDs with administrative privileges (e.g., 7a0d26089ac528941bf8cb998d97f408m)
• Any unfamiliar admin-level accounts

If compromise is suspected, CrushFTP recommends restoring a clean version of the default user from backups prior to July 16:

“Restore a prior default user from your backup folder from before the exploit… you can also just delete your default user and CrushFTP will re-create it.”

Steps include:

• Using non-native unzipping tools (like WinRAR, macOS Archive Utility, or WinZip) to extract backups
• Reviewing upload/download logs for malicious activity
• Replacing default user profile at CrushFTP/users/MainUsers/default

To defend against future exploits and harden CrushFTP environments, administrators are advised to:

• Restrict administrative IP access
• Enable automatic updates
• Whitelist only trusted IP ranges
• Deploy a DMZ instance in enterprise scenarios

“As always we recommend regularly and frequent patching. Anyone who had kept up to date was spared from this exploit,” the advisory recommends.

Related Posts:

• CVE-2025-2825: Critical Vulnerability in CrushFTP Exposes Servers to Unauthenticated Access Risk
• CrushFTP Hacked: Exploit CVE-2025-2825 with PoC and Nuclei Template
• CISA Added Critical Vulnerabilities in Cisco Products and CrushFTP to KEV
• CrushFTP Unauthenticated RCE Zero-Day Vulnerability
• CrushFTP Flaw Exposes Users to Account Takeover