Critical Vulnerability Discovered in CrushFTP: Details and Recommendations

Introduction to the Vulnerability

A recently identified critical security flaw in CrushFTP has been actively exploited, raising significant concerns among organizations that rely on this software for secure file transfers. This vulnerability, designated as CVE-2025-54309, has been assessed with a high severity score of 9.0 on the Common Vulnerability Scoring System (CVSS).

What the Vulnerability Involves

According to the National Institute of Standards and Technology (NIST), the flaw affects CrushFTP versions prior to 10.8.5 and 11.3.4_23 when the DMZ proxy feature is not activated. The issue relates to improper validation of AS2 transactions, which could allow remote attackers to gain administrative access through HTTPS connections. This vulnerability poses a significant risk, particularly in enterprise, healthcare, and government settings where sensitive data is frequently exchanged.

Timeline of Discovery

CrushFTP’s developers first detected the exploitation of this zero-day vulnerability on July 18, 2025, at 9 a.m. CST. However, they admitted that the flaw may have been weaponized prior to this date. The company noted that the attack vector utilized was HTTP(S), suggesting that attackers could exploit configurations intended for AS2 handling.

The Security Risks

The exploitation of this vulnerability can result in severe consequences, including data exfiltration, backdoor installations, or unauthorized access to critical systems that depend on CrushFTP for secure file transfer. Without appropriate DMZ isolation, an exposed instance becomes a significant single point of failure.

The threat actors were able to reverse-engineer CrushFTP’s source code and uncover this flaw, specifically targeting systems that had not been updated with recent patches. Notably, it is believed that CVE-2025-54309 has existed in CrushFTP versions released before July 1, 2025.

Indicators of Compromise

CrushFTP has provided several indicators of compromise (IoCs) to help organizations identify potential breaches:

• The default user may have been granted administrative access.
• Unusually long, randomized user IDs (e.g., 7a0d26089ac528941bf8cb998d97f408m) are created.
• New user accounts with administrative rights appear.
• The file MainUsers/default/user.xml has been modified recently, especially with a timestamp in the "last_logins" value.
• Discrepancies in the end-user web interface, such as the disappearance of standard user buttons or unauthorized elevation of regular users to admin status.

Security teams investigating potential compromise should meticulously examine modification timestamps of user.xml, correlate admin login activities with IP addresses, and audit permission changes on sensitive directories to identify signs of exploitation.

Mitigation Strategies

To counteract potential risks, CrushFTP has outlined several mitigation strategies:

1. Restore the prior default user from backup files.
2. Review upload and download reports for signs of suspicious activities.
3. Limit the IP addresses permitted to perform administrative actions.
4. Implement an allowlist for IPs that can connect to the CrushFTP server.
5. Utilize a DMZ CrushFTP instance for enhanced security within enterprise environments.
6. Ensure that automatic updates are enabled to protect against future vulnerabilities.

Context of Previous Vulnerabilities

As for the nature of the attacks exploiting this newly discovered flaw, specifics remain uncertain. However, it’s noteworthy that earlier vulnerabilities associated with CrushFTP, such as CVE-2025-31161 (CVSS score: 9.8), were previously exploited to deploy malware, including the MeshCentral agent. Moreover, another critical vulnerability, CVE-2024-4040, also with a score of 9.8, had been leveraged to target various U.S. entities.

The Bigger Picture for Organizations

Given the multiple high-severity vulnerabilities affecting CrushFTP over the last year, it has become a recurrent target in advanced threat campaigns. Organizations must consider these patterns when conducting security assessments. This includes evaluating the risk from third-party file transfer solutions, the importance of timely patching, and developing robust zero-day detection workflows, especially related to remote access tools and potential credential compromises.

By staying vigilant and employing robust security measures, organizations can better protect themselves against this and other evolving threats in the cybersecurity landscape.