A newly disclosed critical security flaw in CrushFTP has come under active exploitation in the wild. Assigned the CVE identifier CVE-2025-54309, the vulnerability carries a CVSS score of 9.0.
"CrushFTP 10 before 10.8.5 and 11 before 11.3.4_23, when the DMZ proxy feature is not used, mishandles AS2 validation and consequently allows remote attackers to obtain admin access via HTTPS," according to a description of the vulnerability in the NIST's National Vulnerability Database (NVD).
CrushFTP, in an advisory, said it first detected the zero-day exploitation of the vulnerability in the wild on July 18, 2025, 9 a.m. CST, although it acknowledged that it may have been weaponized much earlier.
"The attack vector was HTTP(S) for how they could exploit the server," the company said. "We had fixed a different issue related to AS2 in HTTP(S) not realizing that a prior bug could be used like this exploit was. Hackers apparently saw our code change, and figured out a way to exploit the prior bug."
CrushFTP is widely used in government, healthcare, and enterprise environments to manage sensitive file transfers, making administrative access especially dangerous. A compromised instance can allow attackers to exfiltrate data, inject backdoors, or pivot into internal systems that rely on the server for trusted exchange. Without DMZ isolation, the exposed instance becomes a single point of failure.
The company said the unknown threat actors behind the malicious activity managed to reverse engineer its source code and discovered the new flaw to target devices that are yet to be updated to the latest versions. It's believed that CVE-2025-54309 was present in CrushFTP builds prior to July 1.
CrushFTP has also released the following indicators of compromise (IoCs) -
- Default user has admin access
- Long random user IDs created (e.g., 7a0d26089ac528941bf8cb998d97f408m)
- Other new usernames created with admin access
- The file "MainUsers/default/user.xml" was recently modified and has a "last_logins" value in it
- Buttons from the end user web interface disappeared, and users previously identified as regular users now have an Admin button
Security teams investigating possible compromise should review user.xml modification times, correlate admin login events with public IPs, and audit permission changes on high-value folders. It's also essential to look for suspicious patterns in access logs tied to newly created users or unexplained admin role escalations, which are typical signs of post-exploitation behavior in real-world breach scenarios.
As mitigations, the company recommends that users restore a prior default user from the backup folder, as well as review upload/download reports for any signs of suspicious transfers. Other steps include -
- Limit the IP addresses used for administrative actions
- Allowlist IPs that can connect to the CrushFTP server
- Switch to DMZ CrushFTP instance for enterprise use
- Ensure automatic updates are enabled
At this stage, the exact nature of the attacks exploiting the flaw is not known. Earlier this April, another security defect in the same solution (CVE-2025-31161, CVSS score: 9.8) was weaponized to deliver the MeshCentral agent and other malware.
Last year, it also emerged that a second critical vulnerability impacting CrushFTP (CVE-2024-4040, CVSS score: 9.8) was leveraged by threat actors to target multiple U.S. entities.
With multiple high-severity CVEs exploited over the past year, CrushFTP has emerged as a recurring target in advanced threat campaigns. Organizations should consider this pattern as part of broader threat exposure assessments, alongside patch cadence, third-party file transfer risks, and zero-day detection workflows involving remote access tools and credential compromise.
CVE-2025-54309 Added to CISA KEV Catalog
The U.S. Cybersecurity and Infrastructure Security Agency (CISA), on July 22, 2025, added CVE-2025-54309 to its Known Exploited Vulnerabilities (KEV) catalog, requiring Federal Civilian Executive Branch (FCEB) agencies to remediate the flaw by August 12, 2025.
CrushFTP Attack Analyzed
Cybersecurity company ReliaQuest, in an analysis published on July 28, 2025, said it observed exploitation attempts targeting CrushFTP, including failed efforts to weaponize CVE-2025-54309.
"The attack exploited a flaw in Applicability Statement 2 (AS2) validation, abusing an unprotected alternative communication channel," it said. "Despite logs initially indicating failed access attempts, the attack ultimately compromised an administrative account, aiming to overwrite the default user account to repurpose it as a backdoor."
The infection sequence is said to have leveraged the compromised "crushadmin" account to conduct directory enumeration and extract metadata about the discovered directories, setting the stage for follow-on activities, including manipulating account configuration to erase the original account and recreate "crushadmin" with elevated permissions in order to use it for persistent access.
The unknown threat actor behind the activity has also been found targeting the virtual file system (VFS) in a bid to gain entrenched control over critical files and directories. However, these actions proved to be unsuccessful due to policy-based restrictions and IP allowlist protections.
According to data from Censys, there are 55,683 devices exposing the CrushFTP web interface, although how many of these are vulnerable to the flaw remains unknown.
Technical Details of CVE-2025-54309 Emerge
In a new analysis published on August 27, 2025, watchTowr Labs said the vulnerability revolves around a race condition that makes it possible to create administrator users via two types of crafted HTTPS requests -
- [1], which contains the headers AS2-TO / Content-Type and the AS2-TO header has a value of \crushadmin, the built-in CrushFTP administrative user
- [2], which does not contain any of the two headers
"Within HTTP request [1] , the user property (username) specified in the AS2-TO header is set inside the session object of the cookies CrushAuth and currentAuth," security researcher Sonny Macdonald said.
"Should the stars align and the race be won, HTTP request [2] executes as the crushadmin user and we are able to use setUserItem to create a new administrative user. It is key to note that these HTTP requests in isolation cannot trigger the vulnerability – their combination within the race is key."
(The story was updated after publication on July 29, 2025, with insights from Censys and ReliaQuest. It was updated again September 2, 2025, with technical details of CVE-2025-54309.)
