A critical zero-day vulnerability in CrushFTP is currently being exploited in the wild, enabling unauthorized attackers to take full control of affected servers and access sensitive enterprise data.
The newly identified vulnerability, tracked as CVE-2025-54309, is a critical security flaw in the CrushFTP file transfer server platform. The issue, dubbed an “Unprotected Alternate Channel Vulnerability,” allows unauthenticated attackers to gain administrative access via the CrushFTP web interface.
- Severity: Critical (CVSS 9.0)
- Attack Vector: Remote (unauthenticated HTTP/S requests)
- Affected Versions:
- CrushFTP 10 – All versions below build 10.8.5
- CrushFTP 11 – All versions below build 11.3.4_23
Active Exploitation Confirmed
CrushFTP confirmed that the vulnerability is already being actively exploited, as of July 18, 2025. Threat actors have leveraged this zero-day to target vulnerable file transfer servers, gaining administrative privileges and, in some cases, exfiltrating data or deploying malicious payloads.
According to security researchers monitoring the attack campaign, malicious actors appear to have reverse-engineered recent changes to the software to identify the flaw. The attacks mimic techniques used in previous CrushFTP incidents, including the use of modified web scripts and timed payload delivery.
Attack Surface and Risk
At the time of disclosure, an estimated 7,300 CrushFTP servers are publicly accessible online. Unpatched systems remain at significant risk, particularly those exposed directly to the internet or misconfigured internally.
Exploitation of the flaw allows adversaries to:
- Gain full administrative control of the CrushFTP instance
- Bypass authentication mechanisms
- Steal or manipulate stored data and files
- Exfiltrate system configurations, user credentials, and cryptographic keys
- Deploy additional malware or pivot within a network
Vendor Response and Patch Availability
CrushFTP has released emergency software updates to remediate the issue. All users are strongly advised to upgrade to one of the following secure builds immediately:
- CrushFTP 10: Upgrade to build 10.8.5_12 or later
- CrushFTP 11: Upgrade to build 11.3.4_26 or later
The vendor warns that neither network DMZ protections nor standard firewall configurations are sufficient to mitigate the issue without applying the patch.
