CrushFTP Zero-Day Exploit Leaves Thousands Of Servers Vulnerable To Hijacking

CrushFTP, a service that provides users with secure file server software, has recently been targeted by hackers. Unfortunately, it seems as if some customers have been compromised, with thousands of servers still vulnerable to being attacked, according to the non-profit Shadowserver Foundation. Although the company says it has remedied the issue with its latest version release.

The hackers took advantage of a 0-day exploit found in CrushFTP, vulnerability CVE-2025-54309. The attackers seemingly gained access to this exploit by reverse engineering the code of a prior version, which contained a bug “related to AS2 in HTTP(S)” that had been fixed by the development team. “We believe this bug was in builds prior to July 1st time period roughly,” this includes versions 10 below 10.8.5 and versions 11 below 11.3.4_23.


The company has provided customers with guidance on what to look for to determine if their servers have been hit. Some of the indicators of compromise are a user named Default with admin access, any other users recently created with admin access, the MainUsers/default/user.XML file has "last_logins," alongside userIds that are long and random. Attackers have also been seen modifying the version number to try and fool users, so it’s recommended to make use of MD5 hashes for validation.

This is a classic example of why it’s so important to keep systems up to date, as CrushFTP users running the latest version of the software were not impacted by this exploit. The company recommends that customers opt to receive updates automatically, which can be done within the “Updates” section found in “Preferences.”

As for the vast number of servers still using older versions of CrushFTP, Shadowserver says it will be working to get in contact with those users to alert them of the exploit. Hopefully these customers will be notified before any major damage is done.