Data Security
,
Governance & Risk Management
,
Patch Management
Attackers Modify File-Transfer Server Software to Display Patched Version Number
A zero-day in file transfer software made by a Nevada company with a recent history of racking up vulnerabilities is still active in more than 1,000 instances, according to internet scans.
See Also: On Demand | From Patch to Prevention: Modernizing Remediation Across Hybrid Environments
Nevada-based CrushFTP disclosed Friday an actively exploited flaw in software builds released “prior to July 1st time period roughly.”
“Hackers apparently reverse engineered our code and found some bug which we had already fixed. They are exploiting it for anyone who has not stayed current on new versions,” the company said. The Shadowserver Foundation said that it spotted 1,040 unpatched instances as of Sunday, primarily in the United States, Germany and Canada.
The vulnerability, tracked as CVE-2025-54309, involves the software’s handling of validation for applicability statement two, an HTTP-based protocol for transmitting structured business data, including for file-transfer purposes. The flaw allows remote attackers to obtain admin access through the unprotected alternate channel of HTTPS. The vulnerability doesn’t affect users to implemented a DMX proxy feature, CrushFTP said.
The company said it began observing in-the-wild attacks around 14:00 UTC on Friday. Hackers looked into a recent patch that fixed an unrelated HTTPS issue with AS2, it said. Coders didn’t realize that the flaw could also be exploited. AS2 is a specification for securely transferring data with an emphasis on non-repudiation, so that all parties receive acknowledgement that the data has been send and received.
Vulnerable versions of the software include all version 10 builds below 10.8.5, and all version 11 builds below 11.3.4_23.
Managed file transfer software has had a starring role in notable hacks for several years now. The Clop, aka Cl0p, extortion group in particular has devoted time and energy into identifying never-before-seen flaws in popular MFT tools, as demonstrated by its campaigns targeting Accellion File Transfer Appliance in 2020 and 2021, Fortra/Linoma GoAnywhere MFT servers in early 2023, Progress Software’s MOVEit in May 2023 and Cleo Communications’ Harmony, VLTrader and LexiCom MFT software in late 2024.
Hacked Software Shows Fake Version Number
CrushFTP warned users Friday to not trust any version number they see in the web interface and to validate the hash tied to their software installation. “Hackers have been making the version display a fake version to give a false sense of security,” it said. “We provide the ‘validate hashes function’ on the about tab to compare MD5 hashes and look for extra code they may have installed into CrushFTP.”
The company’s security alert details a number of indicators of compromise, such as the default user – or other, recently created usernames – having admin rights, seeing the appearance of oddly named and never-before-seen users in an unusual format, such as “7a0d26089ac528941bf8cb998d97f408m,” or seeing that the default user.xml file has been recently modified.
CrushFTP said that updating to a patched version of the software blocks any attempt to exploit the flaw, and that users that have kept current with new releases were already protected.
After updating, any user with software that’s been hacked should “restore a prior default user from your backup folder from before the exploit,” CrushFTP said.
As of Monday, the latest available versions were 10.8.5 and 11.3.5. Per the change log, the latter includes “additional username filtering to theoretically avoid future similar exploit attacks.”
To better block any similar types of attacks in the future, CrushFTP recommends limiting the IP addresses that can be used to administer the software, using whitelists to restrict the IP addresses allowed to connect to the server, as well as setting the software preferences to allow the software to auto-update.
Ryan Emmons, a staff security researcher at Rapid7, advised all users to immediately upgrade to a patched version. He also questioned if the DMZ would prevent attackers from exploiting the vulnerability. “Out of an abundance of caution, Rapid7 advises against relying on a demilitarized zone (DMZ) as a mitigation strategy,” he said.
CrushFTP had a moment of notoriety earlier this year with an actively-exploited authentication bypass vulnerability tracked as CVE-2025-31161. The U.S. Cybersecurity and Infrastructure Security Agency added the vulnerability to its list of known exploited vulnerabilities. Besides amounting to a high risk flaw, the vulnerability caused controversy after it emerged that when CrushFTP emailed customers on March 21 urging them to patch, it did so without tracking the vulnerability with a CVE number.
A researcher at VulnCheck used the company’s own CVE numbering authority to designate the flaw as CVE-2025-2825 – apparently provoking a response from CrushFTP CEO Ben Spink, who emailed the researcher – according to a screenshot posted online – to say that “Your reputation will go down if you do not voluntarily remove your fake item. It will be blatantly obvious with the real CVE is live since it literally explains in detail the vulnerability you know nothing about.
Federally funded research and development center Mitre, which runs the CVE program, sided with CrushFTP. Researchers at cybersecurity firm Outpost24 who first spotted the law, said they obtained an agreement from CrushFTP to delay public disclose for 90 days but had applied for a CVE number with Mitre on March 13.