Hackers Exploit CrushFTP Zero-Day to Take Over Servers

WatchTowr Labs uncovers a zero-day exploit (CVE-2025-54309) in CrushFTP. The vulnerability lets hackers gain admin access via the web interface. Update to v10.8.5 or v11.3.4.

A zero-day vulnerability in CrushFTP, a widely used file transfer server, is being actively exploited by hackers. Cybersecurity firm watchTowr Labs discovered the active exploitation of this flaw, tracked as CVE-2025-54309. The vulnerability was added to the CISA Known Exploited Vulnerabilities Catalogue on July 22, 2025, confirming its critical status.

watchTowr Labs’ investigation revealed a critical threat to over 30,000 online instances of the software. In its official statement, CrushFTP confirmed that the vulnerability had been exploited in the wild as early as July 18, 2025.

The company noted that the latest versions of the software had already fixed the issue. Hackers likely figured out how to exploit the bug after the company made a recent code change to fix a different problem, accidentally revealing the vulnerability to attackers.

“We believe this bug was in builds prior to July 1st time period, roughly… the latest versions of CrushFTP already have the issue patched. The attack vector was HTTP(S) for how they could exploit the server. We had fixed a different issue related to AS2 in HTTP(S) not realizing that prior bug could be used like this exploit was. Hackers apparently saw our code change, and figured out a way to exploit the prior bug.” CrushFTP’s statement.

watchTowr Labs used its proprietary honeypot network, called Attacker Eye, to capture the attack as it happened. The team deployed a specific sensor for CrushFTP and received an immediate alert when the sensor was breached.

Analysis of the raw network traffic revealed a distinct pattern: two similar HTTP requests were being sent in rapid succession, repeated over 1,000 times. The key difference between the two requests was in their headers.

The first request contained a header that pointed to the internal administrative user crushadmin, while the second request did not. This behaviour hinted at a race condition, which occurs when two tasks are competing for resources, and the outcome depends on which one finishes first.

In this case, the two requests were racing to be processed. If the requests arrived in a very specific order, the second request was able to take advantage of the first, executing as the crushadmin user without proper authentication (as the server thinks the attacker is an administrator).

From there, it is effectively game over because the hacker can bypass authentication and then take full control of the server, retrieve sensitive files, and cause significant damage.

The attack specifically occurs via the software’s web interface in versions prior to CrushFTP v10.8.5 and CrushFTP v11.3.4_23. Please note that enterprise customers using a DMZ CrushFTP instance to isolate their main server are not believed to be affected.

To confirm their findings, watchTowr Labs created their own script to replicate the attack and successfully created a new administrator account on a vulnerable instance.

According to researchers, the developers of CrushFTP had silently patched this issue in recent updates without publicly warning users, leaving many at risk. Given that this vulnerability is being actively exploited, it is critical to secure your system by updating the software to the latest patched versions immediately.