Hackers exploit CrushFTP zero-day, tracked as CVE-2025-54309, to gain admin access via HTTPS when DMZ proxy is off.
Threat actors are exploiting a zero-day vulnerability, tracked as CVE-2025-54309 (CVSS score of 9.0), in the managed file transfer software CrushFTP to gain administrative privileges on vulnerable servers via HTTPS.
CrushFTP warned of a zero-day that has been exploited since July 18 via HTTPS. Attackers reversed old code to exploit a bug patched in recent versions before July 1.
“July 18th, 9AM CST there is a 0-day exploit seen in the wild. Possibly it has been going on for longer, but we saw it then. Hackers apparently reverse engineered our code and found some bug which we had already fixed. They are exploiting it for anyone who has not stayed current on new versions.” reads the advisory.
“We believe this bug was in builds prior to July 1st time period roughly…the latest versions of CrushFTP already have the issue patched. The attack vector was HTTP(S) for how they could exploit the server. We had fixed a different issue related to AS2 in HTTP(S) not realizing that prior bug could be used like this exploit was. Hackers apparently saw our code change, and figured out a way to exploit the prior bug.”
CrushFTP before 10.8.5 and 11.3.4_23 lets remote attackers gain admin access via HTTPS when DMZ proxy is disabled. The latest patched versions, released by July 18, 2025, are 11.3.4_26 and 10.8.5_12.
The company urges customers to update to a fixed version of CrushFTP.
According to the advisory, indicators of compromise in CrushFTP include unusual entries like “last_logins” in user.XML, a recent modification date, unknown admin users, long random usernames, missing WebInterface buttons, fake version numbers shown by attackers, and altered files. Users should validate MD5 hashes via the “About” tab to check for tampering or injected code.
If exploited, restore a backup of the default user from before July 18 via CrushFTP/backup/users/MainUsers/default. Use 7Zip or similar tools to extract the backup. Alternatively, delete the default user to let CrushFTP recreate it (without your custom settings). The company also recommends reviewing transfer logs for suspicious activity, as attackers reused old scripts. It’s safest to restore to the July 16 state.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, CVE-2025-54309)
