WatchTowr Labs uncovers a zero-day exploit (CVE-2025-54309) in CrushFTP. The vulnerability lets hackers acquire admin entry through the net interface. Replace to v10.8.5 or v11.3.4.
A zero-day vulnerability in CrushFTP, a broadly used file switch server, is being actively exploited by hackers. Cybersecurity agency watchTowr Labs found the lively exploitation of this flaw, tracked as CVE-2025-54309. The vulnerability was added to the CISA Identified Exploited Vulnerabilities Catalogue on July 22, 2025, confirming its vital standing.
watchTowr Labs’ investigation revealed a vital risk to over 30,000 on-line situations of the software program. In its official assertion, CrushFTP confirmed that the vulnerability had been exploited within the wild as early as July 18, 2025.
The corporate famous that the newest variations of the software program had already fastened the problem. Hackers doubtless found out the way to exploit the bug after the corporate made a current code change to repair a unique downside, unintentionally revealing the vulnerability to attackers.
“We consider this bug was in builds previous to July 1st time interval, roughly… the newest variations of CrushFTP have already got the problem patched. The assault vector was HTTP(S) for a way they may exploit the server. We had fastened a unique problem associated to AS2 in HTTP(S) not realizing that prior bug may very well be used like this exploit was. Hackers apparently noticed our code change, and found out a technique to exploit the prior bug.” CrushFTP’s assertion.
The Exploit Defined
watchTowr Labs used its proprietary honeypot community, known as Attacker Eye, to seize the assault because it occurred. The group deployed a selected sensor for CrushFTP and acquired a direct alert when the sensor was breached.
Evaluation of the uncooked community site visitors revealed a definite sample: two related HTTP requests have been being despatched in speedy succession, repeated over 1,000 instances. The important thing distinction between the 2 requests was of their headers.
The primary request contained a header that pointed to the interior administrative person crushadmin, whereas the second request didn’t. This behaviour hinted at a race situation, which happens when two duties are competing for sources, and the end result relies on which one finishes first.
On this case, the 2 requests have been racing to be processed. If the requests arrived in a really particular order, the second request was capable of reap the benefits of the primary, executing because the crushadmin person with out correct authentication (because the server thinks the attacker is an administrator).
From there, it’s successfully recreation over as a result of the hacker can bypass authentication after which take full management of the server, retrieve delicate recordsdata, and trigger important harm.
The assault particularly happens through the software program’s internet interface in variations previous to CrushFTP v10.8.5 and CrushFTP v11.3.4_23. Please observe that enterprise prospects utilizing a DMZ CrushFTP occasion to isolate their principal server will not be believed to be affected.
To verify their findings, watchTowr Labs created their very own script to copy the assault and efficiently created a brand new administrator account on a weak occasion.
What You Have to Do
In line with researchers, the builders of CrushFTP had silently patched this problem in current updates with out publicly warning customers, leaving many in danger. On condition that this vulnerability is being actively exploited, it’s vital to safe your system by updating the software program to the newest patched variations instantly.
