WatchTowr Labs uncovers a zero-day exploit (CVE-2025-54309) in CrushFTP. The vulnerability lets hackers acquire admin entry through the online interface. Replace to v10.8.5 or v11.3.4.
A zero-day vulnerability in CrushFTP, a extensively used file switch server, is being actively exploited by hackers. Cybersecurity agency watchTowr Labs found the lively exploitation of this flaw, tracked as CVE-2025-54309. The vulnerability was added to the CISA Identified Exploited Vulnerabilities Catalogue on July 22, 2025, confirming its vital standing.
watchTowr Labs’ investigation revealed a vital risk to over 30,000 on-line cases of the software program. In its official assertion, CrushFTP confirmed that the vulnerability had been exploited within the wild as early as July 18, 2025.
The corporate famous that the newest variations of the software program had already fastened the problem. Hackers seemingly found out tips on how to exploit the bug after the corporate made a current code change to repair a unique drawback, by accident revealing the vulnerability to attackers.
“We consider this bug was in builds previous to July 1st time interval, roughly… the newest variations of CrushFTP have already got the problem patched. The assault vector was HTTP(S) for the way they might exploit the server. We had fastened a unique challenge associated to AS2 in HTTP(S) not realizing that prior bug may very well be used like this exploit was. Hackers apparently noticed our code change, and found out a solution to exploit the prior bug.” CrushFTP’s assertion.
The Exploit Defined
watchTowr Labs used its proprietary honeypot community, referred to as Attacker Eye, to seize the assault because it occurred. The staff deployed a particular sensor for CrushFTP and obtained a direct alert when the sensor was breached.
Evaluation of the uncooked community visitors revealed a definite sample: two comparable HTTP requests had been being despatched in fast succession, repeated over 1,000 occasions. The important thing distinction between the 2 requests was of their headers.
The primary request contained a header that pointed to the inner administrative consumer crushadmin, whereas the second request didn’t. This behaviour hinted at a race situation, which happens when two duties are competing for sources, and the end result will depend on which one finishes first.
On this case, the 2 requests had been racing to be processed. If the requests arrived in a really particular order, the second request was capable of benefit from the primary, executing because the crushadmin consumer with out correct authentication (because the server thinks the attacker is an administrator).
From there, it’s successfully sport over as a result of the hacker can bypass authentication after which take full management of the server, retrieve delicate recordsdata, and trigger vital injury.
The assault particularly happens through the software program’s net interface in variations previous to CrushFTP v10.8.5 and CrushFTP v11.3.4_23. Please be aware that enterprise clients utilizing a DMZ CrushFTP occasion to isolate their most important server should not believed to be affected.
To verify their findings, watchTowr Labs created their very own script to copy the assault and efficiently created a brand new administrator account on a weak occasion.
What You Have to Do
In line with researchers, the builders of CrushFTP had silently patched this challenge in current updates with out publicly warning customers, leaving many in danger. On condition that this vulnerability is being actively exploited, it’s vital to safe your system by updating the software program to the newest patched variations instantly.
