[German]Does anyone reading this blog use the CrushFTP program for file transfers? The CVE-2025-54309 vulnerability has been known and fixed since July 2025. Now I've come across a report that hackers are exploiting this vulnerability.
What is CrushFTP?
CrushFTP is a proprietary multi-protocol, multi-platform file transfer server originally developed in 1999 and offered with a tiered pricing model. The product is aimed at home users through to corporate users. The manufacturer advertises the product as an "enterprise grade file transfer" solution, which is an extremely powerful, easy-to-use solution that runs on almost anything: macOS 10.9+/11/12+, Win2012+, Linux, Solaris, BSD, Unix, etc! Clients are also available as apps for Android and iOS.
CrushFTP supports FTP, FTPS, SFTP, HTTP, HTTPS, WebDAV and WebDAV SSL protocols. It also has AJAX/HTML5 and Java applet web interfaces that allow end users to manage their files via a web browser.
CrushFTP uses a graphical user interface for management, but can also be installed as a daemon on Mac OS X, Linux, Unix and as a service on Windows.
CrushFTP supports multihoming, multiple websites with different branding, configuration changes on the fly, attachment redirection and GUI-based management of users and groups via a browser. Plugins are included for authentication to SQL databases, LDAP, Active Directory and other custom methods. All settings are stored in XML files that can be edited directly or via the web UI. When editing directly, CrushFTP notices the timestamp change and loads the settings immediately without requiring a server restart.
Vulnerability CVE-2025-54309 in CrushFTP
On July 19, 2025, I reported in the article CrushFTP with 0-day vulnerability CVE-2025-54309 that a zero-day vulnerability existed in the software. Crush FTP 10.8.5 and higher, as well as 11.3.4_23 and higher, do not have this vulnerability. An analysis of the vulnerability can be found here.
In my blog post, I mentioned that German users had been successfully attacked via the vulnerability. Now I read in the following tweet that hackers are exploiting the critical security vulnerability CVE-2025-54309 (CVSS: 9) in CrushFTP to gain full administrator access via HTTPS.
Attackers can steal sensitive files, place malicious files, and wreak havoc. A proof of concept (PoC) from WatchTowr Labs can now be found on GitHub. ZoomEye has found 193,000 vulnerable CrushFTP instances on the internet. If anyone is affected and has been compromised, they can find instructions on what to do in the linked manufacturer support wiki.
