More than 1,000 internet-accessible CrushFTP servers are vulnerable to hijack attacks via a critical security flaw identified as CVE-2025-54309. The vulnerability, which stems from improperly handled AS2 validation, allows threat actors to gain administrative access to the software's web interface.
CrushFTP is an enterprise-grade file transfer solution that supports multiple protocols, including FTP, SFTP, and HTTPS, widely used by businesses to manage and share files securely.
The flaw affects all versions of CrushFTP below 10.8.5 and 11.3.4_23. The vendor has confirmed that the vulnerability is being actively exploited in the wild, with signs of the first attacks detected on July 18. The company suspects that malicious actors reverse engineered its software to discover and exploit the bug, potentially beginning attacks even earlier.
“We believe this bug was in builds prior to July 1st time period roughly...the latest versions of CrushFTP already have the issue patched. The attack vector was HTTP(S) for how they could exploit the server. We had fixed a different issue related to AS2 in HTTP(S) not realizing that prior bug could be used like this exploit was. Hackers apparently saw our code change, and figured out a way to exploit the prior bug,” the advisory explains.
The company advises system administrators to audit server logs for abnormal upload or download behavior, enable automatic updates, and restrict access to admin interfaces through IP whitelisting.
According to data from the security monitoring platform Shadowserver, nearly 1,040 CrushFTP servers are still unpatched and exposed online.