CrushFTP confirms zero-day exploit.
Some weeks start better than others. If you are a member of an enterprise security team or sysadmin, this week is not one of them. First, there was the news over the weekend from Microsoft that on-premises SharePoint servers were under global attack from a critical zero-day exploit for which there was no patch. Thankfully, an emergency update has now been released, but the bad news is that this alone will not be enough to stop the ongoing attacks. The bad news gets worse as CrushFTP has confirmed that another critical zero-day vulnerability, affecting all platforms, has been exploited by remote hackers, enabling them to gain admin access as a result. Here’s what you need to know, and do, about the CVE-2025-54309 FTP server attacks.
CVE-2025-54309 FTP Server Zero Day Exploit Confirmed
A public security advisory from FTP vendor, CrushFTP, has confirmed that a critical zero-day vulnerability, tracked as CVE-2025-54309, has been seen in the wild. Stating that the exploit was first observed on July 18, CrushFTP admitted that it “possibly it has been going on for longer,” as it impacts builds prior to CrushFTP code updates on July 1.
“Hackers apparently reverse engineered our code and found some bug which we had already fixed,” the advisory warned, and they are “exploiting it for anyone who has not stayed current on new versions.”
It would appear that the attack vector employed by the hackers was HTTP(S), with the National Vulnerability Database describing CVE-2025-54309 as being exploited “when the DMZ proxy feature is not used,” leading to a mishandling of the Applicability Statement 2 protocol for transmitting messages. This “consequently allows remote attackers to obtain admin access via HTTPS,” the National Institute of Standards and Technology, an agency of the United States Department of Commerce, explained.
“Based on the Indicators of Compromise provided in the advisory, a “last_logins” value set for the internal ‘default’ user account is indicative of exploitation,” Ryan Emmons, an offensive security engineer and vulnerability researcher at Rapid7, said.
“As always, we recommend regular and frequent patching,” CrushFTP advised, adding that any users who were up to date would not have been impacted by the exploit. “Enterprise customers with a DMZ CrushFTP in front of their main are not affected by this,” the statement added.