Top file transfer tool CrushFTP says a thousand servers are still vulnerable to cyberattack, so patch now

CrushFTP had a flaw that allowed admin access via HTTPS
It was patched in early July 2025, but risks persist
Around 1,000 servers running older versions at risk as attacks are spotted in the wild

Hackers are actively exploiting a critical vulnerability in CrushFTP instances, gaining admin access to vulnerable servers, experts have warned.

It was addressed in early July 2025 with a patch, with file transfer company urging customers to apply it as soon as possible.

However, on July 18, the company said it saw a zero-day exploit being used against this vulnerability – meaning it is possible the attacks have been going on for longer, and were only observed then.

Around a thousand targets

In a recently published security advisory, CrushFTP explained that in all versions 10 below 10.8.5 and all versions 11 below 11.3.4_23, when the Demilitarized Zone (DMZ) proxy feature is not used, there was a mishandling of AS2 validation vulnerability, which allows remote attackers to obtain admin access via HTTPS.

“Hackers apparently reverse engineered our code and found some bug which we had already fixed,” the advisory reads. “They are exploiting it for anyone who has not stayed current on new versions.”

We don’t know if the attackers are using the bug to drop malware, or steal data, and we don’t know the exact number of organizations that were already compromised as a result of this flaw.

We do know that just below 1,000 organizations remain vulnerable, as per the latest data from Shadowserver. These organizations are now being notified of the potential risk. Those who were exploited should restore a prior default user from their backup folder.

“As always we recommend regularly and frequent patching,” CrushFTP warned. “Anyone who had kept up to date was spared from this exploit. Enterprise customers with a DMZ CrushFTP in front of their main are not affected by this.”

The bug is tracked as CVE-2025-54309, and has a severity score of 9.0.

Via BleepingComputer

https://cdn.mos.cms.futurecdn.net/XztdngjRmFS6xK2nNWp7Nm.jpg

Source link

Maintaining cyber control when AI can act autonomously

OpenAI doesn’t just want to answer your questions — it wants to run your digital life

A 90-year-old audio brand just put out its most affordable speakers yet — and the specs look very tasty indeed

Rethinking Zero Trust in the Age of Digital Warfare

Ex-Israeli Intelligence Official: Shockwaves of Trump’s “Take Over Gaza” Heard, Felt Across Region

What UK political parties are promising in the 2019 general election

Otto Warmbier’s parents want North Korea to suffer for their son’s death

Could a ‘youthquake’ cause Boris Johnson to lose the general election?

Kelly Ripa Got Microneedling on Her Butt Cheeks

Meet Logan Marshall-Green, who plays Cal on Yellowstone spin-off Marshals

GTA 6’s Official Map Is Bigger Than We Ever Dreamed

10 Marvel and DC Crossovers We’d Love To See in Movies

Have a strong brand in a world of noise—it’s like having the only red T-shirt in a stadium full of white ones

Form S-3 Flowco Holdings Inc For: 2 April

Iran war and energy shock may force Asia to revisit its AI playbook

Citizens reiterates Redwood Trust stock rating on earnings outlook

The YouTuber who has become one of Gen Z’s most beloved celebrities

26 last-minute holiday gifts that are still thoughtful and unique

Practicing gratitude regularly can make you less stressed and sleep better

8 things millennials wish you would just stop getting them for the holidays

Top file transfer tool CrushFTP says a thousand servers are still vulnerable to cyberattack, so patch now

Maintaining cyber control when AI can act autonomously

Kelly Ripa Got Microneedling on Her Butt Cheeks

Have a strong brand in a world of noise—it’s like having the only red T-shirt in a stadium full of white ones

OpenAI doesn’t just want to answer your questions — it wants to run your digital life