At least 10,000 CrushFTP instances are vulnerable to a critical flaw, which is currently being exploited by attackers, affecting the file transfer solution, according to cybersecurity experts.

The vulnerability, tracked as CVE-2025-54309, involves a mishandling of AS2 validation in all versions of CrushFTP servers prior to 10.8.5 and prior to 11.3.4_23. It can be exploited when the demilitarized zone (DMZ) proxy feature is not used.

When exploited, CVE-2025-54309 allows remote attackers to obtain admin access via HTTPS.

CVE-2025-54309 Exploitation Observed

CrushFTP, LLC, owner of the eponymic multi-protocol, multi-platform file transfer server, disclosed CVE-2025-54309 to a private mailing list on July 18 and later in a public-facing vendor advisory.

MITRE also reported the vulnerability on July 18 and assigned it a CVSS score of 9.

The file transfer company warned that threat actors were observed exploiting the CVE-2025-54309 from July 18 at 9:00 am CST, although exploitation campaigns may have begun earlier.

The vendor also emphasized that systems with up-to-date software are not susceptible to vulnerabilities and encouraged customers to update to a fixed version of CrushFTP on an urgent basis. The latest fixed versions are CrushFTP 11.3.4_26 and CrushFTP 10.8.5_12.

Additionally, CrushFTP stated, "We don't believe people with a DMZ CrushFTP in front of their main are affected by this."

However, in a July 18 advisory, Rapid7 said its researchers were not convinced this statement was true and advised against relying on a DMZ as a mitigation strategy.

On July 21, the Shadowserver Foundation reported observing 1040 unpatched CrushFTP instances, with the top affected countries being the US, Germany and Canada.