CrushFTP Faces Exploitation of Critical Zero-Day Vulnerability

On July 21, 2025, CrushFTP, a Nevada-based managed file-transfer software developer, disclosed a zero-day vulnerability within its web interface that is currently being exploited by hackers to gain unauthorized administrative access to systems. The vulnerability, tracked as CVE-2025-54309, was reported to have affected over 1,000 instances of the software, primarily in the United States, Germany, and Canada, as identified by the Shadowserver Foundation.

The flaw allows attackers to exploit the software’s handling of the Applicability Statement 2 (AS2), an HTTP-based protocol designed for secure data transfer. This vulnerability enables remote attackers to obtain administrative access through an unprotected alternate channel of HTTPS, posing a significant risk to users who have not updated their software to the latest versions. The company indicated that the vulnerability affects all version 10 builds prior to 10.8.5 and all version 11 builds before 11.3.4_23. Since the attacks began, CrushFTP has urged users to validate software installations and not rely solely on version numbers displayed in their web interface, which hackers have manipulated to provide a false sense of security.

According to CrushFTP, the company began observing active attacks around 14:00 UTC on July 21. The attackers reportedly reverse-engineered their code to exploit a bug that the company had already patched for unrelated issues. “Hackers apparently reverse engineered our code and found some bug which we had already fixed. They are exploiting it for anyone who has not stayed current on new versions,