Subj : Top file transfer tool CrushFTP says a thousand servers are still
To   : All
From : TechnologyDaily
Date : Tue Jul 22 2025 14:15:08

Top file transfer tool CrushFTP says a thousand servers are still vulnerable 
to cyberattack, so patch now

Date:
Tue, 22 Jul 2025 13:07:00 +0000

Description:
Older versions granted attackers admin access via HTTPS.

FULL STORY
======================================================================CrushFTP
 had a flaw that allowed admin access via HTTPS It was patched in early July 
2025, but risks persist Around 1,000 servers running older versions at risk 
as attacks are spotted in the wild 

Hackers are actively exploiting a critical vulnerability in CrushFTP 
instances, gaining admin access to vulnerable servers, experts have warned. 

It was addressed in early July 2025 with a patch, with file transfer company 
urging customers to apply it as soon as possible. 

However, on July 18, the company said it saw a zero-day exploit being used 
against this vulnerability - meaning it is possible the attacks have been 
going on for longer, and were only observed then. Around a thousand targets 

In a recently published security advisory, CrushFTP explained that in all 
versions 10 below 10.8.5 and all versions 11 below 11.3.4_23, when the 
Demilitarized Zone (DMZ) proxy feature is not used, there was a mishandling 
of AS2 validation vulnerability, which allows remote attackers to obtain 
admin access via HTTPS. 

Hackers apparently reverse engineered our code and found some bug which we 
had already fixed, the advisory reads. They are exploiting it for anyone who 
has not stayed current on new versions. 

We dont know if the attackers are using the bug to drop malware, or steal 
data, and we dont know the exact number of organizations that were already 
compromised as a result of this flaw. 

We do know that just below 1,000 organizations remain vulnerable, as per the 
latest data from Shadowserver. These organizations are now being notified of 
the potential risk. Those who were exploited should restore a prior default 
user from their backup folder. 

As always we recommend regularly and frequent patching, CrushFTP warned. 
Anyone who had kept up to date was spared from this exploit. Enterprise 
customers with a DMZ CrushFTP in front of their main are not affected by 
this. 

The bug is tracked as CVE-2025-54309, and has a severity score of 9.0. 

 Via BleepingComputer You might also like CrushFTP vulnerability exploited in 
the wild, added to CISA KEV database Take a look at our guide to the best 
authenticator app We've rounded up the best password managers



======================================================================
Link to news story:
https://www.techradar.com/pro/security/top-file-transfer-tool-crushftp-says-a-
thousand-servers-vulnerable-to-cyberattack


--- Mystic BBS v1.12 A47 (Linux/64)
 * Origin: tqwNet Technology News (1337:1/100)

.