CrushFTP has disclosed a new critical vulnerability, CVE-2025-54309, which is currently being exploited in the wild. One indicator of compromise is a “last_logins” value set for internal default accounts. Review the details in this Cybersecurity Threat Advisory to help minimize your risk and ensure your systems are protected.
What is the threat?
CVE-2025-54309, carrying a CVSS score of 9.0, allows threat actors to exploit users running outdated versions of CrushFTP. By reverse-engineering patches, attackers are identifying previously fixed vulnerabilities and targeting unpatched instances.
Why is it noteworthy?
The flaw originates from improper AS2 validation when the DMZ proxy feature is not enabled, allowing remote attackers to gain administrative access over HTTPS. According to CrushFTP, the vulnerability affected builds released before July 1 and has been patched in the latest versions. While systems with a DMZ in front of CrushFTP appear to be unaffected, relying solely on a DMZ as a mitigation strategy is not recommended.
What is the exposure or risk?
Organizations running CrushFTP versions earlier than 10.8.5 and 11.2.3_23 are at the highest risk, regardless of platform. It remains unclear whether attackers are using this vulnerability to deploy malware, exfiltrate data, or how many organizations have been compromised. However, according to the latest Shadowserver reports, nearly 1,000 systems are still vulnerable.
What are the recommendations?
Barracuda recommends the following steps to mitigate the effects of CVE-2025-54309:
- Update all CrushFTP platforms to the current version (CrushFTP 11.2.3_26 and CrushFTP 10.8.5_12) as soon as possible.
- Restore affected user account data from older backups, or delete the default user if restoring backups isn’t possible.
- Set IP restrictions for administrative accounts and configure the server to only accept connections from approved IP addresses.
References
For more in-depth information on the above recommendations, please visit the following links:
- https://www.techradar.com/pro/security/top-file-transfer-tool-crushftp-says-a-thousand-servers-vulnerable-to-cyberattack
- https://www.bleepingcomputer.com/news/security/over-1-000-crushftp-servers-exposed-to-ongoing-hijack-attacks/
- https://www.securityweek.com/exploited-crushftp-zero-day-provides-admin-access-to-servers/
If you have any questions about this Cybersecurity Threat Advisory, don’t hesitate to get in touch with Barracuda Managed XDR’s Security Operations Center.
This post originally appeared on Smarter MSP.