Top file transfer tool CrushFTP says a thousand servers are still vulnerable to cyberattack, so patch now

News
By published

Older CrushFTP versions granted attackers admin access

Padlock against circuit board/cybersecurity background
(Image credit: Getty Images)
  • CrushFTP had a flaw that allowed admin access via HTTPS
  • It was patched in early July 2025, but risks persist
  • Around 1,000 servers running older versions at risk as attacks are spotted in the wild

Hackers are actively exploiting a critical vulnerability in CrushFTP instances, gaining admin access to vulnerable servers, experts have warned.

It was addressed in early July 2025 with a patch, with file transfer company urging customers to apply it as soon as possible.

However, on July 18, the company said it saw a zero-day exploit being used against this vulnerability - meaning it is possible the attacks have been going on for longer, and were only observed then.

Around a thousand targets

In a recently published security advisory, CrushFTP explained that in all versions 10 below 10.8.5 and all versions 11 below 11.3.4_23, when the Demilitarized Zone (DMZ) proxy feature is not used, there was a mishandling of AS2 validation vulnerability, which allows remote attackers to obtain admin access via HTTPS.

“Hackers apparently reverse engineered our code and found some bug which we had already fixed,” the advisory reads. “They are exploiting it for anyone who has not stayed current on new versions.”

We don’t know if the attackers are using the bug to drop malware, or steal data, and we don’t know the exact number of organizations that were already compromised as a result of this flaw.

We do know that just below 1,000 organizations remain vulnerable, as per the latest data from Shadowserver. These organizations are now being notified of the potential risk. Those who were exploited should restore a prior default user from their backup folder.

“As always we recommend regularly and frequent patching,” CrushFTP warned. “Anyone who had kept up to date was spared from this exploit. Enterprise customers with a DMZ CrushFTP in front of their main are not affected by this.”

The bug is tracked as CVE-2025-54309, and has a severity score of 9.0.

Via BleepingComputer

You might also like

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.