- Crushftp had a fault that allowed access to administrator through HTTPS
- It was paved in early July 2025, but the risks persist
- Around 1,000 servers running older versions at risk as attacks are seen in nature
Computer pirates are actively exploiting critical vulnerability in Crushftp instances, obtaining administrator access to vulnerable servers, experts warned.
It was addressed in early July 2025 with a patch, with a file transfer company urging customers to apply it as soon as possible.
However, on July 18, the company said that it saw a zero day exploit using this vulnerability, which means that the attacks have been happening for longer, and were only observed at that time.
Around one thousand objectives
In a recently published security notice, Crushftp explained that in all versions 10 below 10.8.5 and all versions 11 below 11.3.4_23, when the proxy function of demilitarized zone (DMZ) is not used, a bad manager of the AS2 validation vulserability was used, which allows remote attackers to obtain administrative access through HTTPS.
“The computer pirates apparently invest our code and found some error that we had already solved,” says the notice. “They are exploiting it for anyone who has not remained updated in new versions.”
We do not know if the attackers are using the error to release malware or steal data, and we do not know the exact number of organizations that were already compromised as a result of this defect.
We know that just under 1,000 organizations are still vulnerable, according to the latest Shadowserver data. These organizations are now being notified of the potential risk. Those who were exploited must restore a previous default user from their backup folder.
“As always we recommend regular and frequent patches,” Crushftp warned. “Anyone who has remained updated was saved from this feat. Business customers with a DMZ Crushftp against their principal are not affected by this.”
The error is tracked as CVE-2025-54309, and has a gravity score of 9.0.
Through Bleepingcomputer
