By rssfeeds-admin The vulnerability affects all version 10 installations below 10.8.5 and version 11 installations below 11.3.4_23, potentially compromising thousands of enterprise file transfer systems worldwide.
Security researchers observed attackers leveraging an HTTP(S) attack vector to exploit a previously patched bug that hackers reverse-engineered from recent code changes, highlighting the sophisticated nature of this threat campaign.
Technical Analysis and Attack Vector Methodology
The vulnerability stems from an unintended consequence of a previous AS2-related HTTP(S) security fix implemented around July 1st, 2025.
Threat actors successfully reverse-engineered CrushFTP’s source code modifications and discovered that the original vulnerability could still be exploited through alternative methods despite the initial patch.
The attack vector utilizes HTTP(S) protocol manipulation to bypass authentication mechanisms and gain unauthorized administrative access to target servers.
Primary compromise indicators include unauthorized modifications to the MainUsers/default/user.XML configuration file, which abnormally contains “last_logins” entries and exhibits recent modification timestamps.
Attackers systematically create long, randomized user IDs 7a0d26089ac528941bf8cb998d97f408m and escalate privileges to administrative levels.
Additionally, compromised systems display manipulated version information to provide false security assurance while hiding malicious modifications.
Immediate Response and Remediation Procedures
Organizations discovering a potential compromise must immediately restore default user configurations from backup archives located in the CrushFTP folder/backup/users/MainUsers/default directory.
These compressed backup files require specialized extraction tools, including 7Zip, WinRAR, or WinZip rather than native Windows compression utilities.
Administrators should thoroughly review upload/download audit logs for suspicious file transfers and consider implementing system restoration to July 16th baselines to eliminate potential persistent access mechanisms.
Security teams must validate system integrity using the MD5 hash comparison function available through CrushFTP’s administrative interface to detect unauthorized code modifications.
The validation process compares current system hashes against known-good baselines to identify tampering attempts.
Long-Term Security Hardening Strategies
Enterprise environments should implement DMZ CrushFTP instances as protective barriers for primary infrastructure, as these configurations demonstrated immunity during the attack campaign.
Critical mitigation strategies include restricting administrative access through IP address whitelisting, enabling automatic update mechanisms via the Preferences/Updates configuration panel, and establishing comprehensive network access controls.
Organizations must prioritize regular patch management cycles and maintain current software versions to prevent exploitation of known vulnerabilities.
The incident underscores the importance of defense-in-depth strategies and proactive security monitoring in enterprise file transfer environments facing increasingly sophisticated threat actors.
Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant updates
The post CrushFTP Zero-Day Exploit Actively Used to Breach Servers appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.