In mid-July, cybersecurity firm watchTowr Labs uncovered an active exploitation campaign targeting CrushFTP, a widely deployed enterprise file transfer solution. The flaw, catalogued as CVE-2025-54309, was confirmed by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and promptly added to its list of known exploited vulnerabilities. With more than 30,000 online instances potentially exposed, security experts warn that the attack represents one of the most urgent server-side threats in recent months.
CrushFTP, in a statement, acknowledged that the flaw had been abused in the wild as early as July 18. The company emphasized that its most recent builds already contain patches addressing the issue.
Final Call: Be DPDP Act Ready with FCRF’s Certified Data Protection Officer Program
How Hackers Gained an Edge
According to watchTowr’s forensic analysis, the vulnerability originated from a code change designed to address an unrelated bug. Attackers appear to have studied the modification, reverse-engineered the patch, and discovered a way to weaponize the earlier flaw.
The exploit takes advantage of a race condition—a scenario where two requests compete for processing priority. By sending two nearly identical HTTP requests in rapid succession, attackers were able to trick the server into treating one as an administrator-level command. Once authenticated as “crushadmin,” the malicious actor effectively bypassed all security controls, granting full server access.
Capturing the Attack in Real Time
To validate the discovery, watchTowr deployed its “Attacker Eye” honeypot network and documented the exploit as it occurred. Network traffic logs showed attackers sending repeated request pairs, sometimes over 1,000 times in a single sequence, until the timing aligned in their favor.
The researchers confirmed the exploit’s potency by successfully replicating the attack themselves, creating a new administrator account on a vulnerable CrushFTP instance. The breach allowed full system control, including the ability to exfiltrate sensitive files.
Urgent Steps for Protection
The flaw affects CrushFTP versions prior to v10.8.5 and v11.3.4_23. Enterprise customers who operate a demilitarized zone (DMZ) instance appear less exposed, though researchers caution that no unpatched deployment should be considered safe.
Experts strongly recommend updating to the latest available version immediately. Silent patches issued earlier by CrushFTP mean that organizations delaying updates remain at heightened risk.
“The sophistication of this exploit demonstrates how even minor code changes can inadvertently expose critical weaknesses,” said a researcher at watchTowr. “Patching quickly is the only effective defense.”