View Attach Info

Add new attachment

Only authorized users are allowed to upload new attachments.

This page (revision-15) was last changed on 19-Jul-2025 00:17 by Sandor

This page was created on 18-Jul-2025 11:17 by Ben Spink

Only authorized users are allowed to rename pages.

Only authorized users are allowed to delete pages.

Difference between version and

At line 1 changed one line
July 18th there is a 0-day exploit in the wild. A CVE has been submitted and we are awaiting the assigned of the ID.
July 18th, 9AM CST there is a 0-day exploit seen in the wild. Possibly it has been going on for longer, but we saw it then. A CVE has been submitted and we are awaiting the assigned of the ID.
At line 3 changed one line
Hackers apparently reverse engineered our code and found some bug we had, which we had already fixed, and are exploiting it for anyone who has not stayed up to date.
Hackers apparently reverse engineered our code and found some bug which we had already fixed. They are exploiting it for anyone who has not stayed current on new versions.
At line 5 changed one line
We believe this bug was in builds prior to July 1st time period roughly...we are not fully certain of the exact bug that is being exploited, but it appears the latest versions of CrushFTP already have the issue patched. The attack vector was HTTP(S) for how they could exploit the server.
We believe this bug was in builds prior to July 1st time period roughly...the latest versions of CrushFTP already have the issue patched. The attack vector was HTTP(S) for how they could exploit the server. We had fixed a different issue related to AS2 in HTTP(S) not realizing that prior bug could be used like this exploit was. Hackers apparently saw our code change, and figured out a way to exploit the prior bug.
At line 7 changed one line
As always we recommend regularly and frequent patching.
As always we recommend regularly and frequent patching. Anyone who had kept up to date was spared from this exploit.
At line 9 changed one line
We don't believe people with a DMZ CrushFTP in front of their main are affected by this.
Enterprise customers with a DMZ CrushFTP in front of their main are not affected by this.
At line 18 changed one line
These zip files cannot be extracted with native windows unzip and need winrar or macos or winzip etc to extract them.
These zip files cannot be extracted with native windows unzip and you need winrar or macos or winzip etc to extract them. You can also just delete your default user and CrushFTP will re-create it for you, but you won't have any prior customizations you might have done.
Version Date Modified Size Author Changes ... Change note
15 19-Jul-2025 00:17 2.674 kB Sandor to previous
14 18-Jul-2025 16:56 2.566 kB Ben Spink to previous | to last
13 18-Jul-2025 14:56 2.133 kB Ben Spink to previous | to last
12 18-Jul-2025 14:34 2.119 kB Ben Spink to previous | to last
11 18-Jul-2025 14:11 2.166 kB Ben Spink to previous | to last
10 18-Jul-2025 14:09 2.014 kB Ben Spink to previous | to last
9 18-Jul-2025 13:43 1.583 kB Ben Spink to previous | to last
8 18-Jul-2025 13:11 1.513 kB Ben Spink to previous | to last
7 18-Jul-2025 13:10 1.507 kB Ben Spink to previous | to last
6 18-Jul-2025 12:30 1.416 kB Ben Spink to previous | to last
5 18-Jul-2025 12:11 1.325 kB Ben Spink to previous | to last
4 18-Jul-2025 11:39 1.224 kB Ben Spink to previous | to last
3 18-Jul-2025 11:38 1.217 kB Ben Spink to previous | to last
2 18-Jul-2025 11:33 0.935 kB Ben Spink to previous | to last
1 18-Jul-2025 11:17 0.592 kB Ben Spink to last
« This page (revision-15) was last changed on 19-Jul-2025 00:17 by Sandor
G’day (anonymous guest)
CrushFTP11 | What's New

Referenced by
Update

JSPWiki