On Friday, July 18, 2025, managed file transfer vendor CrushFTP released information to a private mailing list on a new critical vulnerability, tracked as CVE-2025-54309, affecting versions below 10.8.5 and 11.3.4_23 across all platforms. According to the public-facing vendor advisory, this vulnerability in the CrushFTP managed file transfer software web interface is being exploited in the wild. Based on the Indicators of Compromise provided in the advisory, a “last_logins” value set for the internal ‘default’ user account is indicative of exploitation.
Mitigation guidance
According to the advisory, CrushFTP versions below 11.3.4_23 and 10.8.5 are vulnerable to CVE-2025-54309. The latest available patched versions of CrushFTP, as of July 18, 2025, are:
- CrushFTP 11.3.4_26
- CrushFTP 10.8.5_12
The vendor advisory emphasizes the importance of updating to a fixed version of CrushFTP on an urgent basis. Rapid7 echoes this guidance and urges organizations to apply the vendor-supplied patch on an emergency basis, without waiting for a typical patch cycle to occur.
While the vendor guidance, as of July 18, states “We don’t believe people with a DMZ CrushFTP in front of their main are affected by this,” it’s unclear whether this is actually an effective barrier to exploitation. Out of an abundance of caution, Rapid7 advises against relying on a demilitarized zone (DMZ) as a mitigation strategy. The vendor also notes that targeted installations should restore affected user account data from older backups.
Rapid7 customers
An authenticated vulnerability check for InsightVM and Nexpose customers is in development and expected to be available in today’s (Friday, July 18) content release.