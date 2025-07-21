Vulnerability Management, Threat Intelligence

Intrusions involving CrushFTP zero-day underway

BleepingComputer reports that vulnerable CrushFTP enterprise file transfer servers affected by the zero-day bug, tracked as CVE-2025-54309, have been targeted in attacks compromising administrative access believed to have begun in the wee hours of Thursday.

All CrushFTP builds before July 1 are suspected to have been impacted by the vulnerability, which stems from the software's web interface and was unintentionally hindered by a previous patch associated with AS2 in HTTP(S), according to CrushFTP CEO Ben Spink. "The attack vector was HTTP(S) for how they could exploit the server. We had fixed a different issue related to AS2 in HTTP(S) not realizing that prior bug could be used like this exploit was. Hackers apparently saw our code change, and figured out a way to exploit the prior bug," said Spink, who emphasized the absence of the issue in up-to-date systems. Organizations with potentially compromised CrushFTP systems have been urged to recover default user configurations from a backup prior to July 16, while others have been recommended to mitigate the issue by implementing a demilitarized zone instance, automated updates, and IP whitelisting. However, DMZ usage as a deterrent has been discouraged by Rapid7 researchers.

