Skip to Content

What Critical CrushFTP Vulnerability Is Risking Users’ Data Security Right Now?

By: Author Alex Lim

Posted on

Categories Cybersecurity

Home » Cybersecurity » What Critical CrushFTP Vulnerability Is Risking Users’ Data Security Right Now?

How Can CrushFTP Users Protect Themselves From This Dangerous Zero-Day Threat?

CrushFTP is a file transfer server. People and companies use it to move files safely. It works on many systems:

  • Windows (Win2012+)
  • Mac (10.9+)
  • Linux
  • Solaris
  • BSD
  • Unix

It handles these ways to connect: FTP, SFTP, FTPS, HTTP, HTTPS, WebDAV, WebDAV SSL. A user can use a web page or app on Android or iOS to manage files. The server has a simple look and is easy to run.

Admins can:

  • Set up many sites with different looks.
  • Change settings live.
  • Redirect links.
  • Control users or groups with pictures and buttons.
  • Connect to SQL, LDAP, or Active Directory.
  • Change settings in XML files or with the browser.

If the XML files change, the server reloads them right away, so you do not need to restart.

What Is the CVE-2025-54309 Vulnerability?

A big problem called CVE-2025-54309 was discovered in July 2025. This type of problem is called a zero-day because bad actors can use it before anybody has a fix. Attackers can take over a CrushFTP server without a password, just by using a special request over HTTPS.

  • The main issue is with something called the AS2 protocol.
  • This bug lets attackers get admin rights without logging in.
  • Anyone who has not updated since before July 1, 2025, is exposed.

Versions at risk:

  • Any version 10 below 10.8.5
  • Any version 11 below 11.3.4_23

Versions that are safe:

  • Version 10.8.5 and newer
  • Version 11.3.4_23 and newer

An extra safety note: If you use a special DMZ “proxy” in front of CrushFTP, you are less likely to be hit.

How Does the Attack Work?

  • The attack uses HTTP(S) to talk to your server.
  • Hackers studied the CrushFTP code after a recent fix and saw how to break in.
  • Servers that were kept up-to-date were not affected.

Signs Your Server Is Compromised

Look for these clues:

  • The file MainUsers/default/user.XML has a part called “last_logins.”
  • That file’s changed date is very recent.
  • You see new, strange user IDs in your users list.
  • Accounts you do not know now have admin powers.
  • The web panel has changed – maybe new buttons appear or old ones disappear.

What to Do if Compromised

Follow these steps:

  1. Restore the default user from a backup made before July 18, 2025.
  2. Use a tool like 7Zip, WinRar, WinZip, or macOS default tools; don’t use Windows unzip for this.
  3. Delete the compromised user file if no backup exists. CrushFTP will make a new one, but you will lose old changes.
  4. Check reports for files uploaded or downloaded recently.
  5. Restore backups dated before July 16, 2025, to be extra careful.

How to Stay Safe

  • Update CrushFTP to 10.8.5 or 11.3.4_23 right away.
  • Limit which computers can connect to your server.
  • Use a DMZ proxy for extra protection.
  • Turn on automatic updates.
  • Watch for unfamiliar logins or strange new admin users.

Staying alert and taking quick action can help keep your files and business safe.