- Crushftp had an error that made it possible to access admin via https
- It was patched in early July 2025 but risks persist
- About 1,000 servers running older versions at risk as attacks are discovered in nature
Hackers actively take advantage of a critical vulnerability in Crushftp deposits, get admin access to vulnerable servers, experts have warned.
It was treated in early July 2025 with a patch, with file transfer company that encouraged customers to use it as soon as possible.
On July 18, however, the company said it saw a zero -day exploitation used against this vulnerability – which means it is possible that the attacks have been going on longer and was only observed.
About a thousand goals
In a recently published security advice, Crushftp explained that in all versions 10 under 10.8.5 and all versions 11 under 11.3.4_23, when the demilitarized zone (DMZ) Proxy function is not used, there was no malfunction of AS2 validation vulnerability, which causes remote attacks to get Admess Access via HTTPS.
“Hackers apparently constructed our code and found a mistake that we had already corrected,” says the advisory. “They take advantage of it for everyone who has not kept up to date on new versions.”
We do not know if attackers use the error to drop malware or steal data, and we do not know the exact number of organizations already compromised as a result of this error.
We know well that just under 1,000 organizations remain vulnerable according to the latest data from Shadows server. These organizations are now notified of the potential risk. Those who were exploited should restore a former standard user from their backup folder.
“As always, we recommend regularly and frequently lapping,” warned Crushftp. “Anyone who had kept up to date was spared for this exploitation. Enterprise customers with a DMZ -Crushftp in front of their head are not affected by this.”
The error is traced as CVE-2025-54309 and has a severity of 9.0.
Via Bleeping computer
