CVE-2025-54309#

July 18th, 9AM CST there is a 0-day exploit seen in the wild. Possibly it has been going on for longer, but we saw it then.

Hackers apparently reverse engineered our code and found some bug which we had already fixed. They are exploiting it for anyone who has not stayed current on new versions.

We believe this bug was in builds prior to July 1st time period roughly...the latest versions of CrushFTP already have the issue patched. The attack vector was HTTP(S) for how they could exploit the server. We had fixed a different issue related to AS2 in HTTP(S) not realizing that prior bug could be used like this exploit was. Hackers apparently saw our code change, and figured out a way to exploit the prior bug.

As always we recommend regularly and frequent patching. Anyone who had kept up to date was spared from this exploit.

Enterprise customers with a DMZ CrushFTP in front of their main are not affected by this.

Affected Versions:#

All version 10 below 10.8.5.
All version 11 below 11.3.4_23.

If you were exploited:#

restore a prior default user from your backup folder from before the exploit. CrushFTP folder/backup/users/MainUsers/default.....

These zip files cannot be extracted with native windows unzip and you need 7Zip, winrar or macos or winzip etc to extract them. You can also just delete your default user and CrushFTP will re-create it for you, but you won't have any prior customizations you might have done.

Restore it to your CrushFTP folder/users/MainUsers/default

Review upload/download reports for anything transferred. Hackers re-used scripts from prior exploits to deploy things on CrushFTP servers. We recommend restoring to July 16th time period just to avoid anything that might have been done. While we saw the major bulk of exploits in the morning of July 18th, the actual exploits may have been occuring a day earlier while administrators were asleep.

Future mitigation techniques:#

Limit IPs allowed for administration
Whitelist IPs that can connect to your server
Enterprise users use a DMZ CrushFTP instance in front
Allow automatic and frequent updating (Preferences, Updates)

Compromise indicators:#

Your MainUsers/default/user.XML has "last_logins" in it...this would not be normal.
The modified date on your default user.XML is recent...
Default user has admin access...
Long random userid's created you don't recognize...example: 7a0d26089ac528941bf8cb998d97f408m
Other usernames recently created with admin access.
Buttons from the end-user webinterface disappeared, and formerly regular user now has Admin button