CrushFTP: Zero-Day Flaw Enables Remote Admin Access via HTTPS (CVE-2025-54309)
Severity: Critical (CVSS 9.0)
Impact: Remote Administrative Access via Unprotected Alternate Channel
Affected Versions: CrushFTP v10.0.0 to <10.8.5 and v11.0.0 to <11.3.4_23
Mitigation: Upgrade to CrushFTP v10.8.5 or v11.3.4_23 immediately
A critical zero-day vulnerability – CVE-2025-54309 – has surfaced in CrushFTP, a widely deployed multi-protocol file transfer server. This flaw allows unauthenticated remote attackers to gain full administrative access via HTTPS when the DMZ proxy feature is disabled. The vulnerability stems from improper validation of AS2 (Applicability Statement 2) messages, resulting in an unprotected alternate channel that bypasses standard authentication mechanisms. With a CVSSv3 score of 9.0, this is not just a configuration oversight – it’s a high-impact exposure with confirmed exploitation in the wild.
Technical Aspect
CVE-2025-54309 is classified under CWE-420: Unprotected Alternate Channel. The vulnerability arises from CrushFTP’s failure to properly validate AS2 messages in its HTTPS interface when the DMZ proxy is not used. This oversight enables attackers to craft malicious AS2 payloads that bypass authentication and gain administrative control.
The flaw is exploitable remotely, without credentials or user interaction. Attack complexity is rated high due to the need for protocol-specific knowledge, but the impact is severe – attackers can access, modify, or delete sensitive files, create unauthorised admin accounts, and maintain persistent access.
Attack Methodology
Attackers reverse-engineered recent CrushFTP patches to uncover the flaw. Exploitation involves sending specially crafted AS2 messages to the HTTPS interface of a vulnerable CrushFTP server. If the DMZ proxy feature is disabled, the server mishandles the validation process, allowing the attacker to bypass authentication and escalate privileges to admin level.
This vulnerability has been actively exploited since July 18, 2025, with reports from NHS England and Tenable confirming real-world attacks. The flaw is listed in CISA’s Known Exploited Vulnerabilities Catalog, underscoring its critical nature.
Business Impact
The implications of CVE-2025-54309 are far-reaching:
- Data Exposure: Attackers can exfiltrate sensitive files and credentials.
- Operational Disruption: Configuration tampering may disable file transfer services.
- Compliance Risk: Breach of secure file transfer protocols may violate regulatory mandates.
- Persistence: Unauthorised admin accounts and backdoors can enable long-term access.
Organisations in healthcare, finance, and government sectors are particularly at risk due to CrushFTP’s widespread use in secure data exchange.
Mitigation Strategy
CrushFTP has released patched versions:
– v10.8.5
– v11.3.4_23
Immediate actions include:
- Upgrading all CrushFTP instances to the latest patched versions.
- Enabling the DMZ proxy feature, which mitigates the vulnerability by isolating external traffic.
- Reviewing logs for indicators of compromise, including unusual AS2 traffic and unauthorised admin logins.
- Restoring default user configurations from backups dated before July 16, 2025, if compromise is suspected.
Long-term recommendations:
- Restrict external access to CrushFTP interfaces.
- Implement IP whitelisting and network segmentation.
- Monitor AS2 traffic and admin activity continuously.
Disclosure and Response
CrushFTP followed responsible disclosure practices, publishing detailed advisories and mitigation steps in its CompromiseJuly2025 Wiki. Security vendors including Tenable and Rapid7 have issued alerts and plugin updates to detect vulnerable deployments.
Summary
CVE-2025-54309 is a stark reminder that even trusted secure file transfer platforms can harbor critical flaws. With confirmed exploitation and high-impact potential, organisations must act swiftly to patch systems, monitor for compromise, and reassess their CrushFTP deployment strategies. Don’t let this one slip past your defenses – update now and validate your exposure.
Need help securing your CrushFTP environment? Our Threat Detection & Response team is ready to assist.
References:
Exploitation of CrushFTP Vulnerability CVE-2025-54309 (digital.nhs.uk)
NVD – CVE-2025-54309 (nvd.nist.gov)
CVE-2025-54309: CrushFTP Zero-Day Vulnerability Exploited In The Wild (tenable.com)
Crush11wiki: CompromiseJuly2025 (crushftp.com)
Surge in Pet Microchip Phishing Scams
Introduction
A new phishing campaign is targeting UK pet owners by exploiting concerns around pet microchip registration. These scams are not only emotionally manipulative but are also fuelled by serious data security flaws in the systems used to manage pet microchip information. This bulletin outlines the nature of the threat, how it works, the risks involved, and how to stay protected.
Nature of the attack
Pet owners are receiving emails or text messages claiming their pet’s microchip registration is about to expire, urging them to renew it immediately. These messages link to fake websites that closely mimic legitimate microchip registers, prompting users to enter personal and payment details. (see image below)
What makes this campaign especially dangerous is the accuracy of the information used in the phishing messages. Many victims report seeing their pet’s name, breed, and even microchip number included. Details that lend credibility to the scam.
This level of detail is possible due to serious flaws in how UK pet microchip registers handle data access, as reported by Pen Test Partners. Several platforms allow anyone to retrieve pet details by entering a microchip ID, with no verification, rate-limiting, or monitoring in place. Because microchip numbers follow predictable formats, attackers can automate large-scale lookups and scrape data with ease.
Additionally, shared login details are common among veterinary practices and animal wardens, and two-factor authentication is often missing. These weak access controls have enabled mass data harvesting, which is now being weaponised in phishing campaigns.
Risk
- Trust Erosion: Reputable microchip services may suffer reputational damage.
- Financial Theft: Victims may unknowingly submit payment details to fraudsters.
- Identity Fraud: Personal and pet data can be used in broader scams.
- Data Exploitation: Harvested data may be sold or reused in future attacks.
Conclusion
This phishing campaign is a stark reminder that cybercriminals will exploit any opportunity, even our love for our pets. Always verify the legitimacy of emails or texts requesting payment or personal information. Official microchip databases will never pressure you with urgent renewal demands via unsolicited messages.
References:
UK Pet Owners Targeted by Fake Microchip Renewal Scams (hackread.com)
Pet microchip scams and data leaks in the UK (pentestpartners.com)
Koske: AI-Forged Polyglot Malware Targets Linux for Cryptomining
Threat Level: High
Impact: Resource hijacking, potential rootkit-enabled persistence
Platforms: Linux (focus on exposed JupyterLab)
First reported: July 2025
Sources: Aqua Nautilus, BleepingComputer
A Panda Worth Avoiding
Koske looks cute on the outside — literally. It arrives wrapped inside seemingly harmless AI-generated panda images. But those JPEGs are polyglot files, carrying a full malware payload designed to hijack processing power, hide in plain sight, and quietly drain resources.
This isn’t just another cryptominer. The campaign blends AI-assisted code, rootkit-level evasion, and multiple persistence layers — all delivered through a novel image-based attack vector that abuses misconfigured, internet-exposed JupyterLab environments.
Initial Access
Exploits public-facing JupyterLab instances with weak or no authentication.
Delivers polyglot JPEGs with appended shell scripts and compiled C code.
Execution
Once active, Koske runs its shell script entirely in memory (Command and Scripting Interpreter: Unix Shell, T1059.004), avoiding disk artefacts. It deploys hideproc.so, a rootkit built to hook system calls and conceal related processes, files, and directories (Rootkit, T1014). The cryptominer dynamically selects from 18 different coins based on the host’s hardware, maximising profitability without manual operator tuning.
Persistence
Persistence is achieved by editing .bashrc and .bash_logout (Boot or Logon Initialisation Scripts, T1037) so the malware loads with each shell session. It also creates malicious systemd service units (Create or Modify System Process: Systemd Service, T1543.002) to re-establish itself after reboots. These layers ensure Koske survives simple clean-up attempts.
Defence Evasion
Koske’s rootkit leverages LD_PRELOAD to load before legitimate libraries, enabling it to hide its artefacts from system tools. It resets iptables rules and forces DNS to Cloudflare and Google, locking changes with chattr +i (Modify System Configuration: Network Configuration, T1565.001). For C2 and mining pool connectivity, it uses standard web protocols (Application Layer Protocol: Web Protocols, T1071.001) and retrieves proxy lists from GitHub (Proxy, T1090) to evade filtering.
Current Threat Landscape
Koske’s operators are actively scanning for exposed JupyterLab servers, a favourite target in academic and research environments where security controls are often lax. The AI-assisted development is a signal of what’s coming — malware that’s cleaner, modular, and faster to adapt than traditionally hand-coded threats.
The rootkit component means that Koske isn’t just a “deploy and mine” operation — the infection can persist long after initial compromise, opening the door for secondary payloads or stealthier long-term activity.
Business Impact
Organisations relying on Linux systems for compute-heavy workloads — research, analytics, cloud services — are prime targets. Cryptojacking impacts aren’t just about electricity bills; they slow down critical operations, degrade service performance, and in high-availability environments, can cause outages. The presence of a rootkit also introduces the risk of lateral movement and further compromise.
Defensive Requirements
Patch and lock down JupyterLab:
Disable public access without authentication and enable TLS.
Persistence monitoring:
Watch for unauthorised changes to .bashrc, .bash_logout, cron jobs, and systemd units.
Rootkit detection:
Use baseline-integrity monitoring, memory analysis, and dedicated rootkit scanners.
Network controls:
Monitor for DNS changes, unexpected outbound connections, and traffic to known mining pools or proxy lists.
File execution policies:
Block or flag script execution from image files; inspect for polyglot anomalies.
Bottom Line
Koske isn’t flashy ransomware or data-stealing spyware — and that’s exactly why it’s dangerous. It’s subtle, persistent, and financially motivated in a way that avoids the noisy chaos of extortionware. Add in AI-assisted coding and an unconventional delivery vector, and you have a threat that’s harder to spot and easier for criminals to replicate.
If you think cryptominers are “low-tier” threats, Koske’s rootkit capabilities and stealth should convince you otherwise: treat this with the same urgency as any other breach.
References:
AI-Generated Malware in Panda Image Hides Persistent Linux Threat (aquasec.com)
New Koske Linux malware hides in cute panda images (bleepingcomputer.com)
Get Norm’s threat bulletin direct to your inbox
Norm tracks and monitors the latest security trends and cyber threats and collates these into a fortnightly threat bulletin.
You can receive this bulletin for free, every fortnight, by entering your business email address below:
