CrushFTP Warns of Zero-Day Exploit Allowing Unauthorized Access

CrushFTP, a leading enterprise file transfer server, has issued a critical advisory concerning a zero-day vulnerability, identified as CVE-2025-54309, that is being actively exploited by threat actors. This vulnerability permits unauthorized administrative access through the web interface on affected servers, raising significant security concerns for users of the software.

The exploitation of this vulnerability was first detected on July 18, 2025, at 9 AM CST, though it is believed to have started earlier that same day, potentially in the early morning hours. According to Ben Spink, CEO of CrushFTP, the software's previous updates inadvertently blocked an unrelated vulnerability but did not address this particular issue. "A prior fix by chance happened to block this vulnerability too, but the prior fix was targeting a different issue," Spink explained in an interview with BleepingComputer.

CrushFTP's advisory highlights that the vulnerability affects versions of the software prior to v10.8.5 and v11.3.4_23, with the organization asserting that systems maintained with the latest patches are secure against this exploit. "We believe this bug was in builds prior to July 1st... the latest versions of CrushFTP already have the issue patched," the advisory stated.

The zero-day exploit utilizes HTTP(S) as the attack vector, targeting systems that have not been updated. The company emphasized that customers maintaining up-to-date installations would not be vulnerable to this attack. Moreover, enterprise customers using a Demilitarized Zone (DMZ) instance of CrushFTP to isolate their primary servers are also believed to be safe from this vulnerability.

However, security experts have raised concerns about the effectiveness of DMZs in this context. Rapid7, a cybersecurity firm, cautioned against relying solely on DMZs as a mitigation strategy, suggesting that additional security measures are necessary. "Out of an abundance of caution, Rapid7 advises against relying on a demilitarized zone (DMZ) as a mitigation strategy," the firm stated.

While the precise motives behind the exploit remain unclear, the rise in data theft incidents targeting managed file transfer solutions underscores the potential risks. Ransomware groups, such as Clop, have historically exploited similar vulnerabilities in platforms like Cleo, MOVEit Transfer, GoAnywhere MFT, and Accellion FTA for mass data theft and extortion.

In light of this incident, CrushFTP has recommended a series of mitigation steps for administrators. These include reviewing upload and download logs for unusual activities, implementing IP whitelisting for server and admin access, employing a DMZ instance, and enabling automatic updates.

The company also provided indicators of compromise (IOCs) for administrators to monitor. These include unexpected changes in the MainUsers/default/user.XML file and the presence of unrecognized admin-level usernames. Spink noted that the primary IOC observed involved modifications to the default user account in suspicious manners that would be usable for attackers.

As organizations continue to navigate the evolving cybersecurity landscape, the importance of regular software updates and proactive security measures cannot be overstated. The ongoing threat of exploitation underscores the need for vigilance among IT administrators, particularly in the context of enterprise file transfer systems.

As this situation develops, security teams are urged to remain alert to potential unauthorized access and to take immediate steps to secure their systems against possible exploitation. The implications of such vulnerabilities extend beyond immediate access concerns, raising critical questions about data security and the trustworthiness of enterprise software solutions in an increasingly digital world.