Summary

SANS Internet Storm Center (ISC) reports that active brute-force scanning activity has been observed targeting CrushFTP, a Java-based open-source file transfer system available for multiple operating systems. The scanning is associated with exploitation of multiple known critical vulnerabilities in the product.

Key Details

CrushFTP has been affected by a series of serious vulnerabilities that are now being actively targeted:

  • CVE-2024-4040: A template-injection flaw that allowed unauthenticated attackers to escape the VFS sandbox and achieve remote code execution (RCE).
  • CVE-2025-31161: An authentication bypass vulnerability that granted attackers the crushadmin account without credentials.
  • CVE-2025-54309: A zero-day vulnerability disclosed in July 2025 that was actively exploited in the wild at the time of disclosure.

Active brute-force scans targeting CrushFTP instances have been detected, indicating threat actors are probing for vulnerable or misconfigured deployments.

Impact

  • Remote code execution (unauthenticated)
  • Authentication bypass
  • Full administrative account takeover
  • Sandbox escape from VFS
  • Apply all available patches for CrushFTP immediately
  • Review CrushFTP instance exposure and restrict access where possible
  • Monitor for brute-force activity and authentication anomalies
  • Consider blocking known scanning IPs at the perimeter

Notes

  • Source: SANS ISC Diary (English)

  • CrushFTP is used widely for enterprise file transfer; organizations relying on it should treat this as high priority given the history of critical CVEs and active exploitation.

    Extracted: 2026-03-04 UTC | Source: SANS ISC | Confidence: 高