Recently, the software developer CrushFTP – the FTP – supported enterprise file transfer server platform, SFTp, HTTP/S, warned of a serious zero – day vulnerability (CVE 2025 54309), which allowed hackers to take remote administration over the web interface.
1753070762963.png

The breach, designated CVE-2025-54309, was rated high-level hazardous (CVSS 9.0) and has been actively exploited since at least July 18,2015.

CrushFTP is server software used by many organizations to transmit and manage files over protocols such as FTP, SFTp, HTTP/S, due to its flexibility and high security. However, according to warnings from CrushFTP developers themselves, a vulnerability in the AS2 protocol when processed via HTTP(S) inadvertently opened up the opportunity for hackers to take control of the server without authentication. Although the vulnerability had been indirectly patched in an update in early July, the attacker allegedly reversed the source code and found specific exploit from the previous code change.

Hackers use this vulnerability to modify or create new system administrator accounts, in many cases modifying default accounts with invalid but working formats. Early identifiers include suspicious changes in the MainUsers/default/user.XML file, such as the appearance of unusual last logins fields or strange admin accounts with random names. In addition, the upload/download log may record unusual behavior if the system has been compromised.

The affected versions were CrushFTP v10 before 10.8.5 and v11 before 11.3.4 23, released before July 1. Systems that are fully updated or that use a demultiplexing architecture with DMZ proxies are considered safer. However experts recommend that DMZs should not be considered as absolute protection in this case.

There is currently no confirmation that the data was stolen or that the malware was planted through the attack, but gaining control over the web interface opens up many risks of data leakage, blackmail, or unauthorized long – term access. This is a non-new concern, especially as corporate file transfer systems such as MOVEit, GoAnywhere, and Accellion FTA have been exploited by large groups of ransomware attackers in global campaigns.

For prevention and response, WhiteHat and security experts recommend that system administrators take the following measures immediately:

  • Update the software to CrushFTP v10.8.5 12 or v11.3.4 26 or later.
  • Review the user configuration file (default/user.XML) and restore it from a backup before July 16, if it is suspected to be modified.
  • Delete the “default” account, to allow the software to safely remake the default.
  • Check log upload/download for unusual activity.
  • Limit administrative access by setting a trusted IP address whitelist.
  • Consider implementing a DMZ model, but don’t consider it the only solution.
  • Enable automatic software updates and monitor security warnings regularly.
This incident further showed that corporate file transmission systems are attractive targets for cybercriminals. Amid increasing attacks on middleware, regular software updates and system configuration checks become more important than ever. Organizations need to act quickly to protect digital assets and customer data before it’s too late.
According to Synthetic WhiteHat