View Attach Info

Add new attachment

Only authorized users are allowed to upload new attachments.

This page (revision-15) was last changed on 19-Jul-2025 00:17 by Sandor

This page was created on 18-Jul-2025 11:17 by Ben Spink

Only authorized users are allowed to rename pages.

Only authorized users are allowed to delete pages.

Difference between version and

At line 1 changed one line
July 18th there is a 0-day exploit in the wild.
!! CVE-2025-54309
July 18th, 9AM CST there is a 0-day exploit seen in the wild. Possibly it has been going on for longer, but we saw it then.\\
At line 3 removed one line
Hackers apparently reverse engineered our code and found some bug we had, which we had already fixed, and are exploiting it for anyone who has not stayed up to date.
At line 5 changed one line
We believe this bug was in builds prior to July 1st time period roughly...we are not fully certain of the exact bug that is being exploited, but it appears the latest versions of CrushFTP already have the issue patched. The attack vector was HTTP(S) for how they could exploit the server.
Hackers apparently reverse engineered our code and found some bug which we had already fixed. They are exploiting it for anyone who has not stayed current on new versions.
At line 7 changed one line
As always we recommend regularly and frequent patching.
We believe this bug was in builds prior to July 1st time period roughly...the latest versions of CrushFTP already have the issue patched. The attack vector was HTTP(S) for how they could exploit the server. We had fixed a different issue related to AS2 in HTTP(S) not realizing that prior bug could be used like this exploit was. Hackers apparently saw our code change, and figured out a way to exploit the prior bug.
At line 9 changed one line
We don't believe people with a DMZ CrushFTP in front of their main are affected by this.
As always we recommend regularly and frequent patching. Anyone who had kept up to date was spared from this exploit.
At line 11 added 2 lines
Enterprise customers with a DMZ CrushFTP in front of their main are not affected by this.
At line 18 changed one line
These zip files cannot be extracted with native windows unzip and need winrar or macos or winzip etc to extract them.
These zip files cannot be extracted with native windows unzip and you need 7Zip, winrar or macos or winzip etc to extract them. You can also just delete your default user and CrushFTP will re-create it for you, but you won't have any prior customizations you might have done.
At line 24 added 2 lines
Review upload/download reports for anything transferred. Hackers re-used scripts from prior exploits to deploy things on CrushFTP servers. We recommend restoring to July 16th time period just to avoid anything that might have been done. While we saw the major bulk of exploits in the morning of July 18th, the actual exploits may have been occuring a day earlier while administrators were asleep.\\
At line 25 changed 2 lines
Enterprise users use a DMZ Crush instance in front\\
Allow automatic and frequent patching\\
Enterprise users use a [DMZ] CrushFTP instance in front\\
Allow automatic and frequent updating (Preferences, Updates)\\
At line 30 changed one line
Your default user has "last_logins" in it...this would not be normal.
Your MainUsers/default/user.XML has "last_logins" in it...this would not be normal.\\
The modified date on your default user.XML is recent...\\
Default user has admin access...\\
Long random userid's created you don't recognize...example: 7a0d26089ac528941bf8cb998d97f408m\\
Other usernames recently created with admin access.\\
Buttons from the end-user webinterface disappeared, and formerly regular user now has Admin button\\
Version Date Modified Size Author Changes ... Change note
15 19-Jul-2025 00:17 2.674 kB Sandor to previous
14 18-Jul-2025 16:56 2.566 kB Ben Spink to previous | to last
13 18-Jul-2025 14:56 2.133 kB Ben Spink to previous | to last
12 18-Jul-2025 14:34 2.119 kB Ben Spink to previous | to last
11 18-Jul-2025 14:11 2.166 kB Ben Spink to previous | to last
10 18-Jul-2025 14:09 2.014 kB Ben Spink to previous | to last
9 18-Jul-2025 13:43 1.583 kB Ben Spink to previous | to last
8 18-Jul-2025 13:11 1.513 kB Ben Spink to previous | to last
7 18-Jul-2025 13:10 1.507 kB Ben Spink to previous | to last
6 18-Jul-2025 12:30 1.416 kB Ben Spink to previous | to last
5 18-Jul-2025 12:11 1.325 kB Ben Spink to previous | to last
4 18-Jul-2025 11:39 1.224 kB Ben Spink to previous | to last
3 18-Jul-2025 11:38 1.217 kB Ben Spink to previous | to last
2 18-Jul-2025 11:33 0.935 kB Ben Spink to previous | to last
1 18-Jul-2025 11:17 0.592 kB Ben Spink to last
« This page (revision-15) was last changed on 19-Jul-2025 00:17 by Sandor
G’day (anonymous guest)
CrushFTP11 | What's New

Referenced by
Update

JSPWiki