How can organizations protect their CrushFTP servers from similar attacks?

Organizations should enforce strong password policies, change default credentials, implement multi-factor authentication, and regularly audit their systems for vulnerabilities.

CrushFTP 2025 Brute-Force Attack Highlights Credential Vulnerabilities

Q: What led to the successful brute-force attacks on CrushFTP servers?

The attacks exploited default or weak credentials, particularly the 'crushadmin' account with the password 'crushadmin', allowing unauthorized administrative access.

In March 2025, attackers exploited weak 'crushadmin' credentials on CrushFTP servers, underscoring the need for robust password policies.

Published: March 3, 2026

Share this on:

Executive Summary

In March 2025, CrushFTP servers were targeted by brute-force attacks exploiting default or weak credentials, particularly the 'crushadmin' account with the password 'crushadmin'. These attacks originated from IP address 5.189.139.225, a French IP with a history of exploit attempts targeting simple vulnerabilities. The attackers aimed to gain unauthorized administrative access, potentially leading to data exfiltration and system compromise. This incident underscores the critical importance of enforcing strong password policies and regularly updating default credentials to prevent unauthorized access. Organizations are advised to review their authentication mechanisms and implement multi-factor authentication where possible to mitigate such risks.

Why This Matters Now

The recent brute-force attacks on CrushFTP servers highlight the ongoing threat posed by weak or default credentials. With cyber attackers continuously scanning for such vulnerabilities, it is imperative for organizations to enforce robust password policies and regularly audit their systems to prevent unauthorized access and potential data breaches.

Attack Path Analysis

An attacker initiated a brute-force attack against a CrushFTP server by attempting to log in with default credentials. Upon successful access, the attacker escalated privileges to gain administrative control. They then moved laterally within the network to identify and access additional resources. The attacker established a command and control channel to maintain persistent access. Sensitive data was exfiltrated from the compromised systems. Finally, the attacker deployed ransomware, encrypting critical files and demanding payment.

Kill Chain Progression

Initial Compromise

High

Privilege Escalation

Mediuminferred

Lateral Movement

Mediuminferred

Command & Control

Mediuminferred

Exfiltration

Mediuminferred

Impact

Mediuminferred

Initial Compromise

Description

The attacker performed a brute-force attack using default credentials ('crushadmin'/'crushadmin') to gain unauthorized access to the CrushFTP server.

Confidence:

High

Related CVEs

Included CVEs with severity scores, affected products, exploit status, and reference links.

CVE-2025-54309
CVSS 9.8
CrushFTP versions prior to 10.8.5 and 11.3.4_23, when the DMZ proxy feature is not used, mishandle AS2 validation, allowing remote attackers to obtain administrative access via HTTPS.
Affected Products:
CrushFTP CrushFTP – < 10.8.5, < 11.3.4_23
Exploit Status:
exploited in the wild
References:
https://www.tenable.com/blog/cve-2025-54309-crushftp-zero-day-vulnerability-exploited-in-the-wild https://www.censys.com/advisory/cve-2025-54309 https://nvd.nist.gov/vuln/detail/CVE-2025-54309

MITRE ATT&CK® Techniques

Techniques identified for SEO/filtering; may be expanded with full STIX/TAXII enrichment later.

Credential Access

T1110.001

Password Guessing

Defense Evasion

T1078

Valid Accounts

Discovery

T1201

Password Policy Discovery

Credential Access

T1110.004

Credential Stuffing

Credential Access

T1110.002

Password Cracking

Potential Compliance Exposure

Mapping incident impact across multiple compliance frameworks.

PCI DSS 4.0 – Multi-Factor Authentication

Control ID: 8.3.6

The absence of multi-factor authentication for administrative access increases the risk of unauthorized access through brute force attacks.

NYDFS 23 NYCRR 500 – Multi-Factor Authentication

Control ID: 500.12

Failure to implement multi-factor authentication for privileged accounts exposes the organization to credential-based attacks.

DORA – ICT Risk Management Framework

Control ID: Article 6

Inadequate password policies and authentication mechanisms indicate deficiencies in the ICT risk management framework.

CISA ZTMM 2.0 – Identity and Access Management

Control ID: 3.1

Weak authentication practices undermine the principles of zero trust by allowing potential unauthorized access.

NIS2 Directive – Cybersecurity Risk Management Measures

Control ID: Article 21

Insufficient access control measures and password policies contravene the directive's requirements for risk management.

Sector Implications

Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.

Financial Services

CrushFTP brute force attacks threaten secure file transfers, potentially compromising sensitive financial data and violating PCI DSS compliance requirements.

Health Care / Life Sciences

Java-based file transfer vulnerabilities expose patient data to unauthorized access, creating HIPAA compliance violations and lateral movement risks.

Information Technology/IT

IT service providers using CrushFTP face credential attacks exploiting default configurations, enabling privilege escalation and client data exfiltration.

Government Administration

Government file transfer systems vulnerable to brute force attacks risk classified data exposure and compliance failures across NIST frameworks.

Sources

Bruteforce Scans for CrushFTP , (Tue, Mar 3rd)https://isc.sans.edu/diary/rss/32762
Verified

CVE-2025-54309: CrushFTP Zero-Day Vulnerability Exploited In The Wildhttps://www.tenable.com/blog/cve-2025-54309-crushftp-zero-day-vulnerability-exploited-in-the-wild

Verified

CrushFTP Vulnerability [CVE-2025-54309] Added to CISA KEVhttps://www.censys.com/advisory/cve-2025-54309

Verified

NVD - CVE-2025-54309https://nvd.nist.gov/vuln/detail/CVE-2025-54309

Verified

Frequently Asked Questions

The attacks exploited default or weak credentials, particularly the 'crushadmin' account with the password 'crushadmin', allowing unauthorized administrative access.

Cloud Native Security Fabric Mitigations and ControlsCNSF

Aviatrix Zero Trust CNSF is pertinent to this incident as it could have constrained the attacker's ability to move laterally, exfiltrate data, and deploy ransomware by enforcing strict segmentation and identity-aware policies.

Initial Compromise

Control: Cloud Native Security Fabric (CNSF)

Mitigation: The attacker's initial access may have been limited to the compromised server, reducing the potential for further exploitation.

Privilege Escalation

Control: Zero Trust Segmentation

Mitigation: The attacker's ability to escalate privileges could have been constrained, limiting their control over the server.

Lateral Movement

Control: East-West Traffic Security

Mitigation: The attacker's lateral movement may have been restricted, reducing their ability to access additional systems.

Command & Control

Control: Multicloud Visibility & Control

Mitigation: The attacker's ability to establish and maintain command and control channels could have been limited, reducing persistent access.

Exfiltration

Control: Egress Security & Policy Enforcement

Mitigation: The attacker's data exfiltration efforts may have been hindered, reducing the volume of data exfiltrated.

Impact (Mitigations)

The attacker's deployment of ransomware could have been limited to the initially compromised server, reducing the overall impact.

Impact at a Glance

Affected Business Functions

File Transfer Services
Data Storage Management

Operational Disruption

Estimated downtime: 3 days

Financial Impact

Estimated loss: $50,000

Data Exposure

Potential exposure of sensitive files and administrative credentials.

Recommended Actions

• Implement Zero Trust Segmentation to enforce least privilege access and prevent unauthorized lateral movement.
• Deploy East-West Traffic Security controls to monitor and restrict internal traffic, mitigating lateral movement risks.
• Utilize Multicloud Visibility & Control solutions to detect and respond to anomalous activities across cloud environments.
• Enforce Egress Security & Policy Enforcement to control outbound traffic and prevent data exfiltration.
• Apply Inline IPS (Suricata) to detect and block known exploit patterns and malicious payloads.

Secure the Paths Between Cloud Workloads

A cloud-native security fabric that enforces Zero Trust across workload communication—reducing attack paths, compliance risk, and operational complexity.

Stop Advanced Threats Get a Free Workload Attack Path Assessment Under Active Attack?

CrushFTP 2025 Brute-Force Attack Highlights Credential Vulnerabilities

Executive Summary

Why This Matters Now

Attack Path Analysis

Kill Chain Progression

Initial Compromise

Description

Related CVEs

CVE-2025-54309

Affected Products:

Exploit Status:

References:

MITRE ATT&CK® Techniques

Password Guessing

Valid Accounts

Password Policy Discovery

Credential Stuffing

Password Cracking

Potential Compliance Exposure

PCI DSS 4.0 – Multi-Factor Authentication

NYDFS 23 NYCRR 500 – Multi-Factor Authentication

DORA – ICT Risk Management Framework

CISA ZTMM 2.0 – Identity and Access Management

NIS2 Directive – Cybersecurity Risk Management Measures

Sector Implications

Financial Services

Health Care / Life Sciences

Information Technology/IT

Government Administration

Sources

Frequently Asked Questions

Cloud Native Security Fabric Mitigations and ControlsCNSF

Impact at a Glance

Affected Business Functions

Recommended Actions

Key Takeaways & Next Steps

Secure the Paths Between Cloud Workloads