- Crushftp had a defect that allowed the administration to access via https
- It was corrected in early July 2025, but the risks persisted
- About 1,000 servers run older versions at risk while attacks are identified in the wild
Pirates actively exploit critical vulnerability in Cratshftp bodies, accessing the administrator to vulnerable servers, experts warned.
It was discussed in early July 2025 with a fix, with a file transfer company urging customers to apply it as soon as possible.
However, on July 18, the company said it had seen a zero-day feat used against this vulnerability-which means that attacks will have been continuing for longer, and were observed at that time.
About a thousand targets
In a recently published security notice, Cratshftp explained that in all versions 10 below 10.8.5 and all versions 11 below 11.3.4_23, when the proxy function of the demilitarized zone (DMZ) is not used, there was poor management of the validation vulnerability AS2, which allows distance attackers to obtain administrative access via HTTPS.
“The pirates apparently retro-insufficient our code and found a bug that we had already corrected,” said the opinion. “They exploit it for anyone who has not been up to date on new versions.”
We do not know if the attackers use the bug to delete malware or steal data, and we do not know the exact number of organizations that have already been compromised as a result of this defect.
We know that just under 1,000 organizations remain vulnerable, according to Shadowserver’s latest data. These organizations are now informed of the potential risk. Those who have been used should restore a user by prior default of their backup file.
“As always, we recommend regularly and frequent patches,” warned Croittpp. “Anyone who had held up to date was spared this feat.
The bug is followed as CVE-2025-54309 and has a 9.0 severity score.
Via Bleeping Compompute
