Unknown attackers have exploited a vulnerability (CVE-2025‑54309) in the CrushFTP enterprise file-transfer server solution to gain administrative access to vulnerable deployments.
It’s currently unclear what the attackers are using this access for, but data theft looks most likely. According to the Shadowserver Foundation, there are currently around 1,040 exposed and unpatched CrushFTP instances vulnerable to CVE-2025-54309, predominantly located in the US, Europe, and Canada. How many have been compromised since the attacks began is difficult to estimate.