Initiatives for
As the national authority for Cybersecurity the CCB has developed several initiatives for specific publics which are presented here.
Warning: Actively Exploited 0-day vulnerability in CrushFTP, Patch Immediately!
Image
Published : 22/07/2025
- Last update: 22/07/2025
- Affected software: CrushFTP
→ All versions 10 below 10.8.5
→ All versions 11 below 11.3.4_23- Type: Unprotected Alternate Channel (CWE-420)
- CVE/CVSS
→ CVE-2025-54309: CVSS 9.0 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H)
Sources
CrushFTP - https://www.crushftp.com/crush11wiki/Wiki.jsp?page=CompromiseJuly2025
NIST NVD - https://nvd.nist.gov/vuln/detail/CVE-2025-54309
Risks
CrushFTP shared an advisory detailing an actively exploited 0-day vulnerability was found in CrushFTP. The vulnerability was seen exploited in the wild on July 18th, 2025, on a CrushFTP instance not running the latest version.
If you are not using the latest version, this vulnerability could be exploited by malicious threat actors to gain unauthorized access to your CrushFTP server. This vulnerability impacts all vertices of the CIA triad.
Description
This vulnerability was already patched in the latest version of CrushFTP. CrushFTP suspects malicious actors reverse engineered a patch addressing an AS2 in HTTP(S) issue and identified it as a security issue in the previous versions.
Systems that are kept up to date should have been patched before this vulnerability was discovered.
Recommended Actions
Check Systems for Exploitation
The Centre for Cybersecurity Belgium strongly recommends checking if your CrushFTP instance was exploited. Review all file uploads and downloads. The threat actors reused scripts from prior CurshFTP exploits.
According to the vendor advisory, an indicator of compromise is if a “last_logins” value for the internal ‘default’ user account is set in the file “MainUsers/default/user.XML”. Other indicators are listed in the vendor advisory.
Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority after thorough testing.
Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity and ensure a swift response in case of an intrusion.
In case of an intrusion, you can report an incident via https://ccb.belgium.be/en/cert/report-incident.
While patching appliances or software to the newest version may protect against future exploitation, it does not remediate historic compromise.
References
Bleeping Computer - https://www.bleepingcomputer.com/news/security/new-crushftp-zero-day-exploited-in-attacks-to-hijack-servers/
Rapid7 - https://www.rapid7.com/blog/post/crushftp-zero-day-exploited-in-the-wild/|