A critical zero-day vulnerability in CrushFTP, CVE-2025-54309, is being actively exploited by threat actors to gain unauthenticated administrative access to vulnerable servers via HTTPS. The flaw, caused by improper validation of AS2 (Applicability Statement 2) protocol messages when the DMZ proxy feature is disabled, affects thousands of internet-exposed file transfer servers used by government agencies, enterprises, and healthcare providers.
The vulnerability was first detected in the wild on July 18, 2025, and likely existed in CrushFTP builds prior to July 1st, 2025. Threat actors reportedly reverse-engineered recent code changes to uncover and weaponize this bug—an alarming sign of adversary sophistication.
Key Details
- Severity: CRITICAL (CVSS 9.0)
- Vulnerability Type: CWE-420 (Unprotected Alternate Channel)
- Vector: HTTPS interface (when DMZ is not in use)
- Privileges Required: None (unauthenticated)
- Impact: Remote Code Execution → Admin Access → Full System Compromise
- Affected Versions:
- CrushFTP 10 before 10.8.5
- CrushFTP 11 before 11.3.4_23
Real-World Exploitation
According to the Shadowserver Foundation, over 1,000 vulnerable CrushFTP instances remain exposed across the U.S., Canada, and Europe. Given CrushFTP’s use in handling regulated data, exploitation can lead to significant data breaches, compliance violations, and operational disruption.
Attackers have been observed modifying key configuration files (MainUsers/default/user.xml), injecting malicious admin accounts, and altering user permissions. The attack bypasses authentication altogether and does not require user interaction.
Indicators of Compromise (IOCs)
| Indicator | Description |
| Unknown Admin Users | Presence of newly created admin-level accounts with long, random usernames (e.g., 7a0d26089ac528941bf8cb998d97f408m) |
| Modified user.xmlFiles | Recent changes in MainUsers/default/user.xml, particularly new or suspicious last_loginsentries |
| Unexpected Admin UI Access | Admin interface buttons visible to standard or non-privileged user accounts |
| Suspicious Admin Logins | Administrative login events from unfamiliar or foreign IP addresses |
| Permission Changes | Unexplained modifications to folder-level permissions in sensitive directories |
Mitigation & Recommendations
- Patch Immediately
Upgrade to:- v10.8.5+ (CrushFTP 10)
- v11.3.4_23+ (CrushFTP 11)
- Audit for Compromise
- Review user.xml modification timestamps
- Search logs for unknown admin logins or access anomalies
- Validate folder permission integrity
- Restrict Admin Access
- Enforce IP allowlisting
- Isolate admin interfaces from public exposure
- Use Defense-in-Depth
While a DMZ deployment can limit exposure, we caution against relying on this as a sole mitigation. Always pair segmentation with up-to-date patching and access controls. - Enable Automatic Updates
To reduce window-of-exposure for future zero-days.
Why It Matters
CrushFTP has now seen multiple actively exploited zero-days in the past year, making it a recurring target for high-stakes data theft campaigns. Similar vulnerabilities in managed file transfer (MFT) platforms, such as MOVEit, GoAnywhere, and Accellion—have been exploited by ransomware groups like Clop for large-scale extortion.
Organizations using CrushFTP must consider this incident as a wake-up call to evaluate third-party file transfer risks, enforce patch cadence, and enhance monitoring for privileged access anomalies.
Stay Safe. Stay Secure
OP Innovate Research Team
