[German]Anyone from the my blog readers who uses the CrushFTP program for file transfer? In the meantime, several readers have reported (thanks for that) that there are reports of a 0-day vulnerability (CVE-2025-54309) in CrushFTP server, which is probably already being exploited.
Advertising
What is CrushFTP?
CrushFTP is a proprietary multi-protocol, multi-platform file transfer server originally developed in 1999 and offered with a tiered pricing model. The product is aimed at home users through to corporate users. The manufacturer advertises the product as an "enterprise grade file transfer" solution, which is an extremely powerful, easy-to-use solution that runs on almost anything: macOS 10.9+/11/12+, Win2012+, Linux, Solaris, BSD, Unix, etc! Clients are also available as apps for Android and iOS.
CrushFTP supports FTP, FTPS, SFTP, HTTP, HTTPS, WebDAV and WebDAV SSL protocols. It also has AJAX/HTML5 and Java applet web interfaces that allow end users to manage their files via a web browser.
CrushFTP uses a graphical user interface for management, but can also be installed as a daemon on Mac OS X, Linux, Unix and as a service on Windows.
CrushFTP supports multihoming, multiple websites with different branding, configuration changes on the fly, attachment redirection and GUI-based management of users and groups via a browser. Plugins are included for authentication to SQL databases, LDAP, Active Directory and other custom methods. All settings are stored in XML files that can be edited directly or via the web UI. When editing directly, CrushFTP notices the timestamp change and loads the settings immediately without requiring a server restart.
0-day vulnerability CVE-2025-54309 in the software
Blog reader Joshua got in touch yesterday by email and wrote under the subject CrushFTP 0-day exploit in the wild: "We also use CrushFTP ourselves to provide various services, there have been several security vulnerabilities in the past, but the product is virtually unrivaled in terms of functionality, as it goes far beyond a normal FTP server and supports numerous protocols." But I was offline on Friday. Blog reader Dennis F. contacted me by email in the late afternoon of July 18, 2025 (almost a minute before Joshua, thanks to both of you) and wrote: "This email reached us 5 minutes ago":
There is a 0 day exploit being used against CrushFTP servers. Its critical if you have not been updating recently to update immediately.
10.8.5+ does not have this bug if you were updated as far as we can tell.
11.3.4_23+ does not have this bug as far as we can tell.
The manufacturer writes in its email that further information will be published in the wiki as soon as it has learned more and found out what is going on here. On the wiki site the vendor writes that hackers have apparently reverse-engineered the CrushFTP code and found a bug. The vendor believes that this vulnerability is already fixed in newer software versions and was only present in older software in versions released before July 1, 2025.
Advertising
The attack vector consisted of HTTP(S) connections through which the server was vulnerable. The developers probably noticed another issue related to AS2 in HTTP(S) fix change in early July 2025, analyzed the code and developed an exploit for the vulnerability. The following CrushFTP versions are affected:
- All versions 10 under 10.8.5
- All versions 11 under 11.3.4_23
The attackers exploit the vulnerability on systems that are not up to date. Anyone using newer versions should not be affected.
German users successfully attacked
In a follow-up e-mail, Dennis wrote to me that developments regarding the CrushFTP 0-Day are escalating. The manufacturer's Wiki article seems to be constantly being updated with new information. And the IT department has "just discovered" that the first customer installation was successfully attacked on Friday (18.7.2025) at 11 am.
He also noted that the issue could therefore be very urgent for readers. Fits perfectly, of course, I was mostly offline on Friday because I had other things to do – and the emails were probably not yet displayed to me in the afternoon. It's now the wee
If someone is affected and has been compromised, they can find instructions on what to do in the linked manufacturer support wiki.
Advertising
