Critical Vulnerability in CrushFTP Allows Administrative Access

CrushFTP developers have issued an urgent warning about an actively exploited zero-day vulnerability—CVE-2025-54309—that allows remote attackers to gain administrative access via the web interface on unpatched servers.

Discovery and Exploitation Timeline

The first signs of exploitation were detected on July 18, 2025, although attackers likely began leveraging the flaw a day earlier, according to the development team.

In a statement, CrushFTP CEO Ben Spink revealed that a recent patch, designed to fix an unrelated bug, inadvertently neutralized this vulnerability by disabling a rarely used AS2-over-HTTP(S) feature. However, attackers appear to have reverse-engineered the codebase, discovered the flaw, and targeted systems that had not yet received the “accidental” patch.

“We believe this bug existed in builds prior to approximately July 1, 2025. Current versions of CrushFTP already include the fix,” the company said.
“The attack vector exploited HTTP(S). While we were patching a separate AS2-related issue, we didn’t realize the same flaw could be abused differently. It appears hackers noticed the code change and found a way to exploit the older vulnerability.”

Affected Versions

The vulnerability affects the following builds:

• CrushFTP versions prior to 10.8.5
• CrushFTP versions prior to 11.3.4_23

These patched versions were released around July 1, 2025 and contain mitigations for the flaw.

Indicators of Compromise (IoCs)

Administrators who suspect compromise should immediately:

• Restore user configurations from a backup created before July 16, 2025
• Examine configuration files for signs of tampering

Key Warning Signs:

• Unusual changes in MainUsers/default/user.XML, particularly:
  • The presence or modification of a last_logins field
  • The creation of new admin-level accounts with randomized usernames, such as:CopyEdit7a0d26089ac528941bf8cb998d97f408m
    

According to Spink, attackers frequently altered the default user account, resulting in technically invalid configurations that still functioned for the attacker—while locking out legitimate users.

Potential Risks and Broader Implications

While it remains unclear whether this vulnerability has been exploited for data theft or malware deployment, secure file transfer solutions like CrushFTP have historically been prime targets for ransomware groups.

Notably, Clop ransomware operators have previously exploited flaws in similar enterprise file transfer tools, including:

• MOVEit Transfer
• GoAnywhere MFT
• Accellion FTA

This trend places CrushFTP squarely within the threat landscape for sophisticated cybercriminal campaigns.

Recommendations

To mitigate risk, CrushFTP administrators should:

• Immediately upgrade to:
  • CrushFTP 10.8.5 or
  • CrushFTP 11.3.4_23
• Audit logs for the creation or modification of admin accounts
• Restore user configurations from backups made before July 16 if compromise is suspected