Listen to this Post
A Fresh Wave of Attacks, This Time Without Exploits
After a year marked by severe vulnerabilities and emergency patch cycles, CrushFTP is once again in the spotlight. But this time, attackers are not leveraging zero-day exploits or complex remote code execution chains. Instead, they are attempting something far simpler and often just as effective: brute-forcing poorly configured administrator accounts.
The renewed attention on CrushFTP highlights a harsh reality in cybersecurity. Even after critical CVEs make headlines and vendors rush to patch, many systems remain exposed for reasons that have nothing to do with software bugs. Weak credentials continue to be one of the most reliable attack vectors on the internet.
Summary of the Ongoing Bruteforce Activity
CrushFTP, a Java-based open source file transfer system available across multiple operating systems, has faced significant security incidents in recent years. Among the most notable were CVE-2024-4040, a template injection flaw that allowed unauthenticated attackers to escape the VFS sandbox and achieve remote code execution. Then came CVE-2025-31161, an authentication bypass vulnerability that effectively handed over the crushadmin account. In July 2025, CVE-2025-54309, a zero-day vulnerability, was actively exploited in the wild.
However, the current activity is not tied to any newly disclosed vulnerability. Instead, attackers are performing straightforward brute-force login attempts against exposed CrushFTP instances. The method is simple but telling.
Observed requests show HTTP POST attempts directed at the login function endpoint:
POST /WebInterface/function/?command=login&username=crushadmin&password=crushadmin HTTP/1.1
Interestingly, although the request method is POST, the username and password are passed as GET parameters in the URL query string. The request body itself is empty. This indicates automated scanning behavior rather than interactive login attempts.
During the CrushFTP setup process, administrators are required to configure an admin user. The username is customizable, but suggested options include “crushadmin,” “root,” and “admin.” There is no default password, nor is one suggested by the software.
The attacker is clearly betting on administrator negligence, specifically that someone might have chosen “crushadmin” as both username and password.
The brute-force attempts have been traced to IP address 5.189.139.225, identified as a French IP with a known history of probing for easily exploitable systems. The address has reportedly been active in scanning and exploit attempts since around February.
This is not a case of sophisticated exploitation. It is a search for low-hanging fruit.
Weak Credentials as the Oldest Threat in the Book
Brute-force attacks are among the oldest tactics in cybersecurity, yet they remain effective. The reason is painfully simple: human behavior has not evolved at the same pace as security technology.
After high-profile vulnerabilities like CVE-2024-4040 and CVE-2025-31161, organizations may focus heavily on patching. They deploy updates, restart services, and perhaps even conduct emergency audits. But configuration hygiene often lags behind.
When a system like CrushFTP suggests usernames such as “crushadmin,” it creates a predictable attack surface. Attackers know that administrators under time pressure frequently accept defaults or suggestions without much thought. Pair that with a weak password that mirrors the username, and the system becomes an open door.
The Significance of POST with Query Parameters
One subtle but interesting detail in these scans is the use of POST requests where credentials are included as URL query parameters rather than in the request body.
This approach suggests automation. Many scanning frameworks and simple scripts construct requests this way for convenience. It also signals that the attacker is not attempting to mimic legitimate browser behavior perfectly. Instead, they are running systematic checks across numerous targets.
For defenders, this is useful. Such patterns can be detected via log analysis. Empty POST bodies combined with login credentials in query strings form a recognizable fingerprint.
Why CrushFTP Remains a High-Value Target
CrushFTP is widely deployed in environments that handle sensitive file transfers. It is often used by enterprises, managed service providers, and organizations that exchange confidential data.
File transfer systems sit at a critical intersection. They frequently interface with internal storage, user directories, and sometimes automated processing pipelines. Compromising an administrative account can provide direct access to valuable data and potentially serve as a pivot point into internal networks.
After the exploitation of CVE-2025-54309 earlier in 2025, attackers likely cataloged exposed CrushFTP instances. Those same lists can now be reused for credential stuffing and brute-force campaigns.
Attackers Do Not Forget
The scanning activity from 5.189.139.225 demonstrates a persistent pattern. Once a service is identified as historically vulnerable, it often becomes part of a recurring scan list.
Attackers understand something defenders sometimes overlook. Not every organization patches immediately. Not every administrator reviews logs. Not every deployment is hardened properly.
By returning months later with a simple brute-force script, attackers can compromise systems that were never fully secured in the first place.
The Real Risk Is Configuration Complacency
It is tempting to view this activity as low-level noise. After all, it is not exploiting a zero-day vulnerability. It is not bypassing authentication in a novel way. It is simply trying “crushadmin” as both username and password.
But that simplicity is precisely the danger.
If even a small percentage of exposed systems were configured with weak credentials, attackers would gain administrative access without triggering advanced intrusion detection mechanisms. No exploit chain. No malware dropper. Just a login.
Defensive Measures That Matter
The solution to this wave of attacks is straightforward but non-negotiable.
Strong, unique administrator passwords must be enforced. Suggested usernames should be avoided. Multi-factor authentication, if supported, should be enabled for administrative accounts. Rate limiting and account lockout mechanisms should be configured properly.
Additionally, monitoring login endpoints for repeated failed attempts can help identify brute-force campaigns early.
Security is not only about patching vulnerabilities. It is about eliminating predictable behavior.
What Undercode Say:
The resurgence of brute-force scans against CrushFTP reveals something deeper than a single IP address or login attempt. It highlights a recurring weakness in enterprise security culture.
When a product experiences severe vulnerabilities such as CVE-2024-4040 or CVE-2025-31161, organizations often respond reactively. Emergency patching becomes the priority. Boards are briefed. Incident response teams are mobilized. But once the immediate storm passes, attention fades.
Attackers understand this lifecycle.
They know that administrators might deploy updates but neglect to review configuration baselines. They know that suggested usernames are often left unchanged. They know that password discipline weakens over time.
What makes this situation particularly concerning is the cumulative context. CrushFTP has already been through a series of high-impact CVEs, including a zero-day exploited in the wild. That history elevates its profile among threat actors. It is not random scanning. It is targeted opportunism.
Another key insight lies in attacker economics. Exploiting a complex vulnerability requires research, testing, and sometimes purchasing access to exploit code. Bruteforcing default-style credentials costs almost nothing. The return on investment can be enormous.
This shift from exploit-driven compromise to configuration-driven compromise is strategic. It reduces noise and avoids triggering patch-based detection strategies.
There is also a psychological factor at play. After surviving a major vulnerability disclosure, administrators may experience a false sense of security. Once patched, they assume the threat is mitigated. In reality, exposure remains if configuration hygiene is poor.
From a defensive standpoint, organizations should treat every externally accessible administrative interface as a high-risk asset. Even without active CVEs, such services attract scanning simply because they exist.
The fact that credentials are being sent in query parameters also suggests that many organizations could detect this activity easily. Yet detection only works if logs are reviewed and alerts are configured.
The broader lesson extends beyond CrushFTP. Any service that suggests predictable usernames or lacks strict password enforcement becomes a candidate for the same treatment.
Cybersecurity maturity is not defined by how quickly patches are applied. It is defined by how consistently basic controls are enforced.
In this case, the attack is simple. The implications are not.
Fact Checker Results
✅ CrushFTP has faced serious vulnerabilities including CVE-2024-4040, CVE-2025-31161, and CVE-2025-54309.
✅ The described attack pattern reflects a brute-force login attempt rather than exploitation of a new CVE.
✅ Weak administrative credentials remain a widely recognized and documented security risk.
Prediction
The next phase of attacks against file transfer platforms will likely blend credential brute-forcing with automated vulnerability scanning.
Expect attackers to reuse historical exposure lists and test both patched and unpatched systems in parallel.
Organizations that focus only on CVE remediation, without enforcing strict credential policies and monitoring, will continue to be compromised through the simplest possible methods.
🕵️📝✔️Let’s dive deep and fact‑check.
References:
Reported By: isc.sans.edu
Extra Source Hub (Possible Sources for article):
https://www.medium.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
Bing
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon
