1,000+ CrushFTP servers vulnerable to active hijacking attacks

▼ Summary
– Over 1,000 CrushFTP instances are vulnerable to hijack attacks due to a critical security bug (CVE-2025-54309) affecting versions below 10.8.5 and 11.3.4_23.
– The flaw, linked to mishandled AS2 validation, was actively exploited starting July 19th, though attacks may have begun earlier.
– CrushFTP advises users to patch regularly, as updated servers and those using DMZ instances are not vulnerable.
– Shadowserver reports 1,040 unpatched instances, exposing them to data theft, though malware use remains unclear.
– CrushFTP previously patched another zero-day (CVE-2024-4040) in April 2024, linked to politically motivated attacks targeting U.S. organizations.
More than 1,000 CrushFTP servers remain exposed to a critical security flaw, allowing attackers to hijack administrative access and potentially steal sensitive data. Security researchers warn that unpatched systems could face active exploitation, putting organizations at risk of unauthorized access and data breaches.
The vulnerability, identified as CVE-2025-54309, stems from improper AS2 validation and affects CrushFTP versions prior to 10.8.5 and 11.3.4_23. The vendor confirmed active exploitation in mid-July, though evidence suggests attacks may have started earlier. According to CrushFTP’s advisory, hackers reverse-engineered the software to uncover the flaw, which had already been patched in newer releases.
“Users who kept their systems updated were protected, but those running outdated versions remain vulnerable,” the company stated. They emphasized the importance of frequent patching and recommended additional safeguards, including log monitoring, automatic updates, and IP whitelisting for server access.
Scans by Shadowserver, a cybersecurity monitoring platform, reveal that roughly 1,040 CrushFTP instances remain unpatched and open to attack. The organization is actively notifying affected customers, urging immediate remediation to prevent potential data theft.
While the exact nature of ongoing attacks remains unclear, managed file transfer (MFT) solutions like CrushFTP have become prime targets for cybercriminals. Ransomware groups, including Clop, have repeatedly exploited zero-day vulnerabilities in similar platforms, such as Accelion FTA, GoAnywhere MFT, and MOVEit Transfer, to steal sensitive corporate and government data.
This isn’t the first time CrushFTP has faced serious security threats. In April 2024, the company addressed another actively exploited zero-day (CVE-2024-4040) that allowed attackers to bypass security controls and access system files. Investigations by CrowdStrike linked those breaches to politically motivated cyberespionage campaigns targeting U.S. organizations.
With cyber threats growing more sophisticated, businesses relying on file transfer solutions must prioritize timely updates and robust security measures to mitigate risks. Failure to patch known vulnerabilities could leave critical systems exposed to compromise, with potentially devastating consequences.
(Source: BLEEPING COMPUTER)





