Urgent: CrushFTP Warns of Actively Exploited Zero-Day Vulnerability
CrushFTP has warned users about a critical zero-day vulnerability, CVE-2025-54309, that has been actively exploited since July 2025. This allows remote attackers to gain administrative access via HTTPS, bypassing security measures when the DMZ proxy feature is not enabled. Indicators of compromise include unusual network activity and altered system files.
The vulnerability affects versions before 10.8.5 and 11.3.4_23 of CrushFTP. To mitigate the risk, users are urged to update to the latest patched versions, 11.3.4_26 and 10.8.5_12, released by July 18, 2025. Additionally, users should validate MD5 hashes, restore a backup of the default user, or delete it to let CrushFTP recreate it. Reviewing transfer logs for suspicious activity is also recommended.
The zero-day exploit bypasses AS2 validation and can be detected by unusual HTTP authentication bypass behaviors and anomalous network traffic patterns. The company suggests restoring the system to its state before July 16, 2025, for safety.
CrushFTP users are advised to update their software immediately to prevent unauthorized access. Regular system checks and log reviews are crucial to detect and mitigate potential security breaches. The company continues to monitor the situation and will provide updates as necessary.
