🚨 Urgent Alert: CrushFTP Zero‑Day (CVE‑2025‑54309) Under Active Attack
On July 18, 2025, a critical zero-day vulnerability in the file transfer service CrushFTP—designated CVE‑2025‑54309—became public and has since been actively exploited in the wild. The NIST rating clocks in at a CVSS v3 score of 9.0–9.8, confirming the severity of this flaw.
📦 What Is CrushFTP?
CrushFTP is a commercial, cross-platform file transfer server used by enterprises, government agencies, educational institutions, and service providers to handle sensitive data exchange. It supports FTP, SFTP, WebDAV, HTTPS, and AS2—allowing organizations to move files securely within and outside their networks.
Its popularity comes from:
Web-based administration
User quotas and permissions
File encryption
Automated workflows
Cross-platform compatibility (Windows, macOS, Linux)
In short, it’s a powerful tool used in environments where sensitive or regulated data—like student records, payroll files, or legal documents—needs to be shared securely.
🌐 How Widely Is It Used?
CrushFTP is used by:
K–12 districts and universities to exchange student and HR data
Healthcare and legal firms handling HIPAA-protected files
Government agencies including U.S. states and municipalities
Third-party education vendors that service Arkansas and the broader southern region
As of July 18, researchers found 1,000+ public-facing CrushFTP servers still vulnerable, many in North America. Several school systems and public service platforms are believed to be exposed, especially in cases where IT relies on legacy workflows or managed service providers that haven’t patched yet.
🔍 What’s the Risk?
CrushFTP versions 10 before 10.8.5 and 11 before 11.3.4_23, when not using the DMZ proxy feature, fail to properly validate AS2 protocol requests.
This lets attackers bypass authentication remotely using specially crafted HTTPS requests.
Once in, they can create admin users, modify critical files, and silently exfiltrate data.
✅ What You Should Do Now
1. Patch Immediately
Upgrade to:
CrushFTP 10.8.5_12
CrushFTP 11.3.4_26
This closes the vulnerability being actively exploited in the wild.
2. Review Server Logs & Look for Indicators of Compromise
Changes to
user.xmlUnfamiliar admin accounts
Altered login timestamps
3. Implement or Audit DMZ Proxy Configurations
While not a full fix, it can reduce attack surface when configured correctly.
4. Limit Admin Panel Access
Use IP allowlisting to restrict administrative access to trusted sources only.
5. Ensure Compliance with Federal Directives
CISA added this CVE to its Known Exploited Vulnerabilities Catalog under BOD 22-01. Public institutions—including schools and colleges—must patch by August 12, 2025.
🏫 Why Arkansas Schools & Businesses Should Pay Attention
CrushFTP is likely in use even if you didn’t install it directly—many third-party education service providers in Arkansas use it for payroll processing, transcript delivery, or grant documentation.
This vulnerability opens the door to ransomware, data breaches, or FERPA violations—none of which schools or small businesses can afford.
🛡️ How Red Garrison Can Help
At Red Garrison LLC, we specialize in practical, local cybersecurity for K–12 districts, colleges, and businesses across Arkansas and the surrounding region.
Here’s what we can do:
🔧 Scan for vulnerable CrushFTP instances
🚨 Help identify compromise indicators
📜 Review logs and user files for tampering
🔐 Rebuild access policies and DMZ setups
🧠 Provide staff training on file transfer hygiene
📝 Document your response for audit and compliance needs
We’re not some faceless security vendor—we’re your neighbors in cybersecurity. Our goal is to make sure Arkansas stays protected and prepared.
📞 Let’s Talk
If you use CrushFTP—or you're not sure whether one of your vendors does—contact Red Garrison today for a quick, confidential check-in.
We'll help you patch, secure, and breathe easier.
🛡️ RedGarrison.com/contact
📍 Arkansas-based | Locally owned | Cybersecurity that speaks your language