Crushfts are warning that the actor of the danger is actively exploiting a zero-day vulnerability tracked as the CVE-2025-54309, which allows the attackers to achieve administrative access through the web interface on the weak server.
Crushafp is an enterprise file transfer server that is used by organizations to safely share and manage files on FTP, SFTP, HTTP/S and other protocols.
According to crushfi, the danger actors were first revealed to exploit vulnerability on CST at 9 am on July 18, although it could begin in the early hours of the previous day.
CEO of Crushfy Ben Spink told Blapping Computer that he had earlier decided to have a vulnerability related to AS2 in HTTP (on) that inadvertently blocked the blame of zero-day.
Spink told bleepingcomputer, “Incidentally a pre -fixed was to block this vulnerability, but the former fix was targeting a separate issue and default was rarely shutting down some rarely used facilities.”
Crushftp says that the danger actors engineered their software and discovered this new bug and started exploiting it on the devices that are not up-to-det on their patch.
“We believe Crushftp advisor,
“The attack vector http (s) was how they could exploit the server. We had set a separate issue related to the AS2 in HTTP (s), not realizing that the former bug could be used as this exploitation. Hackers clearly saw our code change, and discovered a way to exploit the pre -bug.
“As usual we recommend regularly and frequent patching. Anyone who kept till date was spared from this exploitation.”
The attack occurs through the web interface of the software, which is in versions before crushftp v10.8.5 and crushftp v11.3.4_23. It is not clear when these versions were released, but the crushftp says around 1 July.
Crushftpie said that the systems that have been updated are not weak.
Enterprise customers using an DMZ crushfast institute to separate their main servers are not affected by this vulnerability.
Those administrators believe that their system was compromised, they are advised to restore the default user configuration from a backup before July 16. Indicators of the agreement include:
- Unphetual entries in mainusers/default/user.xml, especially recent modifications or A
last_loginsField - New, unfamiliar administrator-level user names such as 7a0d26089ac528941bf8cb998d97f408m,
Spink says that they are most defaulted as the main IOC to the default user.
Spink told BlappingCompter, “In general we have modified the default user as the main IOC. In general, in a very invalid ways have been modified in very invalid ways that were still useable for the attacker, but no one else,” Spink told the BlappingCompter.
Recommend the following stages to review the crushfastpie uploads and to download logs for abnormal activity and reduce exploitation:
- IP VITISTING for Server and Administrator Access
- Using a dmz example
- Enable automatic update
However, cyber security firm Rapid 7 says that DMZ’s use may not be a reliable strategy to prevent exploitation.
“From an abundance of caution, Rapid 7 advises against relying on a demilitered zone (DMZ) as a mitigation strategy,” Rapid7 warned,
At this time, it is not clear whether the attacks were used for data theft or to deploy malware. However, managed file transfer solutions have become high-value targets for data theft campaigns in recent years.
In the past, the ransomware gang, usually clops, have repeatedly exploited zero-day weaknesses in the same platforms, including large-scale data theft and forced recovery attacks, including Cleo, Movit Transfer, Gonavez MFT and Excelian FTA.
CISOS knows how to purchase a board begins with a clear, strategic approach how the cloud safety runs the business price.
This helps to introduce the risk, impact and priorities to the free, editable board report deck deck security leaders in clear business terms. Convert security updates into meaningful conversations and take fast decision in boardroom.
