A newly disclosed critical security flaw in CrushFTP, identified as CVE-2025-54309, is currently under active exploitation, which has raised significant concerns across various sectors that rely on the software. The flaw, which has been assigned a high CVSS score of 9.0, permits remote attackers to gain administrative access under certain conditions, posing serious risks, particularly for users in government and healthcare industries.
According to the vulnerability description provided by the NIST National Vulnerability Database, the issue affects CrushFTP versions prior to 10.8.5 and 11.3.4_23 and arises when the DMZ proxy feature is not employed. The company first detected active exploitation of this vulnerability on July 18, 2025, and admits that it may have been weaponized prior to this date.
CrushFTP confirmed that attackers exploited the vulnerability through HTTP(S), which allowed them to gain unauthorized access to sensitive server features. In a recent advisory, the company noted that attackers may have reverse engineered its source code, exploiting pre-existing bugs. This underscores the critical need for organizations using CrushFTP to implement updates promptly.
The potential ramifications of a successful exploit are significant; attackers could exfiltrate sensitive data, plant backdoors, or infiltrate internal systems, which emphasizes the necessity for users to monitor their systems closely. CrushFTP has shared several indicators of compromise (IoCs) to help organizations assess their security postures, which include the existence of default admin access and unexpected changes to user permissions.
As organizations scramble to mitigate the effects of this vulnerability, CrushFTP has laid out several recommendations, including restoring default users from backups, limiting administrative actions to specific IP addresses, and enabling automatic updates. Experts urge security teams to conduct thorough audits of user activity, focusing on login events and permission changes that may signal exploitation.
The exact nature of the attacks exploiting CVE-2025-54309 is still being investigated, but this incident follows a pattern of multiple high-severity vulnerabilities in CrushFTP over the past year, including CVE-2025-31161 and CVE-2024-4040. With these repeated incidents, organizations should factor CrushFTP’s security record into broader assessments of their cybersecurity exposure.