Hackers Target Critical CrushFTP Vulnerability to Gain Administrative Access on Unpatched Servers

July 20, 2025
Vulnerability / Threat Intelligence

A recently identified critical vulnerability in CrushFTP is now being actively exploited. Designated CVE-2025-54309, this flaw has a CVSS score of 9.0. According to the NIST National Vulnerability Database, “CrushFTP versions 10 prior to 10.8.5 and 11 prior to 11.3.4_23, when the DMZ proxy feature is not in use, improperly handles AS2 validation, enabling remote attackers to gain admin access via HTTPS.” CrushFTP reported detecting the first zero-day exploitation of this vulnerability on July 18, 2025, at 9 a.m. CST, although they noted that it might have been weaponized earlier. The company explained, “The attack vector utilized HTTP(S) to exploit the server. While we had addressed a separate AS2-related issue in HTTP(S), we did not realize that a previous bug could be exploited in this manner. It seems hackers observed our code changes and took advantage of them.”

Exploit of Critical Vulnerability in CrushFTP Grants Unauthorized Admin Access

On July 20, 2025, cybersecurity experts reported that a serious security vulnerability in CrushFTP has been actively exploited. This vulnerability, identified as CVE-2025-54309, has been assigned a CVSS score of 9.0, indicating its critical nature. The vulnerability affects versions of CrushFTP prior to 10.8.5 and 11 prior to 11.3.4_23, specifically when the DMZ proxy feature is not in use. The flaw pertains to improper handling of AS2 validation, enabling remote attackers to gain administrative access through HTTPS.

CrushFTP first observed instances of this zero-day exploit in real-world scenarios on July 18, 2025, at 9 a.m. CST, although the company acknowledged the possibility that the vulnerability may have been weaponized earlier. The exploit’s attack vector primarily utilized HTTP(S), allowing attackers to manipulate the server’s functionality. CrushFTP indicated that previous patches addressing a different AS2-related issue inadvertently neglected this underlying vulnerability, suggesting that hackers took advantage of their code modifications.

The implications of this vulnerability are significant, potentially affecting numerous organizations relying on CrushFTP for secure file transfer. The level of threat posed by this lapse in security is particularly concerning, given the potential for unauthorized access to sensitive data stored on affected servers.

In terms of geographic impact, victims of this attack may be widespread, as CrushFTP is used globally across various sectors, including finance, healthcare, and technology. As organizations grapple with a landscape rife with cybersecurity challenges, timely updates and patch management become increasingly critical in mitigating risks associated with such vulnerabilities.

Utilizing frameworks such as the MITRE ATT&CK Matrix can aid organizations in understanding the tactics and techniques employed by malicious actors. In this instance, techniques associated with initial access and privilege escalation are particularly relevant. Attackers may have leveraged the flaw to secure unauthorized access and further escalate their privileges within the compromise environment.

Business owners who use CrushFTP are advised to prioritize immediate patching of their systems to thwart potential exploitation. This incident serves as a stark reminder of the ever-evolving landscape of cyber threats and the importance of maintaining robust cybersecurity practices. Ensuring that security measures are regularly updated can play a pivotal role in safeguarding against future attacks.

Source link

Related Posts

Severe Flaw in NVIDIA Container Toolkit Enables Privilege Escalation in AI Cloud Services

On July 18, 2025, cybersecurity experts revealed a critical vulnerability in the NVIDIA Container Toolkit that threatens AI cloud services. Identified as CVE-2025-23266, this flaw has a CVSS score of 9.0 out of 10.0 and has been dubbed “NVIDIAScape” by Wiz, a cloud security firm owned by Google. According to NVIDIA’s advisory, the vulnerability arises from issues in the initialization hooks of the container, allowing attackers to execute arbitrary code with elevated permissions. Successful exploitation could lead to privilege escalation, data tampering, information leakage, and denial-of-service attacks. This vulnerability affects all versions of the NVIDIA Container Toolkit up to 1.17.7 and the NVIDIA GPU Operator up to 25.3.0, with patches included in versions 1.17.8 and 25.3.1.

Exploitation of Ivanti Vulnerabilities Leads to MDifyLoader Deployment and In-Memory Cobalt Strike Attacks

Cybersecurity researchers have revealed new insights into MDifyLoader, a malware recently linked to cyber attacks exploiting security weaknesses in Ivanti Connect Secure (ICS) appliances. A report from JPCERT/CC highlights that threat actors have exploited vulnerabilities CVE-2025-0282 and CVE-2025-22457 between December 2024 and July 2025 to deploy MDifyLoader, which is then utilized to initiate in-memory Cobalt Strike operations. CVE-2025-0282 is a critical vulnerability allowing unauthenticated remote code execution, addressed by Ivanti in January 2025. Meanwhile, CVE-2025-22457, patched in February 2025, involves a stack-based buffer overflow potentially enabling arbitrary code execution. Previous findings indicate that CVE-2025-0282 was actively weaponized in the wild as a zero-day beginning in mid-December 2024, facilitating the delivery of various malware families.

Severe Unpatched SharePoint Zero-Day Under Active Exploitation, Compromises Over 75 Company Servers

July 20, 2025
Zero-Day / Vulnerability

A serious security flaw in Microsoft SharePoint Server has been weaponized in an ongoing, large-scale exploitation campaign. The zero-day vulnerability, identified as CVE-2025-53770 (CVSS score: 9.8), is a variant of CVE-2025-49704 (CVSS score: 8.8), which was addressed by Microsoft in their July 2025 Patch Tuesday updates. Microsoft explained that “deserialization of untrusted data in on-premises Microsoft SharePoint Server enables unauthorized attackers to execute code over a network,” as detailed in an advisory released on July 19, 2025. The company is actively preparing a comprehensive update to mitigate this issue. Viettel Cyber Security is credited with discovering and reporting the flaw through Trend Micro’s Zero Day Initiative (ZDI). Additionally, Microsoft has acknowledged awareness of ongoing attacks related to this vulnerability.

Security Vulnerability: Hard-Coded Credentials in HPE Instant On Devices Enable Unauthorized Admin Access

Date: July 21, 2025
Category: Network Security / Vulnerability

Hewlett-Packard Enterprise (HPE) has issued critical security updates to rectify a significant vulnerability in Instant On Access Points. This flaw, identified as CVE-2025-37103, has a CVSS rating of 9.8 out of 10 and allows attackers to bypass authentication, potentially granting them administrative access to affected systems. According to the advisory, “Hard-coded login credentials were discovered in HPE Networking Instant On Access Points, enabling anyone aware of these credentials to circumvent standard device authentication.” Additionally, HPE has addressed another security issue involving authenticated command injection in the command-line interface (CVE-2025-37102, CVSS score: 7.2), which could allow remote attackers to execute arbitrary commands on the operating system with elevated privileges.