CrushFTP Zero-Day Exploited in the Wild

Published on 22-Jul-2025
Updated:
08-Sep-2025
Status:
 
Active
CVEs:
CVE-2025-54309

Fortra is actively researching a zero-day exploit affecting CrushFTP that could allow remote attackers to obtain administrative privileges over HTTPS due to mishandling of AS2 validation when the DMZ proxy feature is not used. This scenario potentially allows attackers to exfiltrate data, inject backdoors, or pivot into internal systems that rely on the server for trusted exchange.

CVERiskScore
CVE-2025-54309CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H9.0, Critical

IoCs released by CrushFTP

  • Default user has admin access
  • Long random user IDs created (For example, 7a0d26089ac528941bf8cb998d97f408m)
  • Other new usernames created with admin access
  • "MainUsers/default/user.xml" file was recently modified and contains a value for "last_logins"
  • Buttons from the end-user web interface disappeared, and users previously identified as regular users now have an Admin button

Who is affected?

CVE-2025-54309 impacts the following versions of CrushFTP:

  • All versions 10 below 10.8.5.
  • All versions 11 below 11.3.4_23.

Note: Enterprise customers with a DMZ CrushFTP in front of their main are unaffected by this vulnerability.

What can I do?

CrushFPT recommends the following actions to mitigate this vulnerability.

  • Install the latest available patched versions
  • Limit the IP addresses for administrative actions
  • Allowlist IPs that can connect to the CrushFTP server
  • For enterprise users, use DMZ CrushFTP instance AS2 validation is mishandled
  • Enable automatic updates

Install the latest available patched versions.

  • CrushFTP 11.3.4_26
  • CrushFTP 10.8.5_12

If your organization was impacted, the vendor recommends the following:

  • Restore a prior default user from your backup folder (CrushFTP folder/backup/users/MainUsers/default) from a date/time before the exploit.
  • If restoring is not possible, you can delete your default user, and CrushFTP will re-create it, but prior customizations will be lost.

Additional information can be found at:

How is Fortra helping me?

Fortra is actively researching this threat to build detection capabilities.

  • Core Impact: On September 8th, 2025, Fortra delivered the CrushFTP AS2 Authentication Bypass Vulnerability Exploit CVE-2025-54309 to customers.

    In CrushFTP, when the DMZ proxy feature is not used, it mishandles AS2 validation. Consequently, it allows remote attackers to obtain admin access via HTTPS, as exploited in the wild in July 2025.

    This exploit uses an authentication bypass vulnerability via a race condition in AS2 validation to create a new administrative user in the target application.

    • If the credentials for the new administrative user are not provided, the module will generate a random one.

    • If the exploitation succeeds, the credentials will be checked against the target.

Updates

Fortra has kicked off the Emerging Threats process for this vulnerability. As new information about this vulnerability and related security coverage becomes available, this article will be updated.

  • 09/08/2025: Core Impact module for CVE-2025-54309 (CrushFTP Zero-Day) released.
Recent Emerging Threats
:
Sitecore ViewState Deserialization Vulnerability
:
Commvault Remote Code Execution
:
FortiSIEM Remote Unauthenticated Command Injection
:
Microsoft SharePoint Server Remote Code Execution Vulnerability
:
FortiWeb Unauthenticated SQL Injection in GUI
Security Alerts in Your Inbox. We will watch for emerging threats; you can watch for our email.