March 21st vulnerability CVE-2025-31161 or the copy cat CVE which triggered the compromising of servers: CVE-2025-0282

We will do our best to update this page in the next few weeks to give insights into ways to know about a compromise from what we have seen.

How to detect:

no magic bullet...but if your log has AWS4 in it...
if you see a new crushadmin2 user...
new random GUID looking usernames...
You had not already updated to 10.8.4 or 11.3.1 before March 26th....
we believe weaponization started around 3/28 from seeing logs from customers.
logs containing (CONNECT) likely indicate compromise as this is text only for admin users.

We have seen:

custom jar files installed into CrushFTP so custom code is now running.
custom dll's being installed into system32 of windows...so the OS is running custom code
custom settings changes being made to windows configuration
additional random GUID style usernames being created
downloading of all files and certificates they can access
new admin usernames being created
disabling of existing admins
limiting of IPs that can do admin actions in order to create more problems for real admins
executing other processes to scan for more items on the network

Steps we recommend you do to resolve and get back to normal:

Remove CrushFTP from the network.
Make a backup copy of the CrushFTP folder.
From the date 3/28 onwards things should be suspicious.
Export the User Usage report to understand recently created users
Run the audit summary report, make note of actions especially from the suspicious users
Restore your entire server from before the compromise date...3/27 to be safe.
Update CrushFTP.jar before you take it online, or follow our offline instructions.
Reset all passwords especially if you were not using hashing.
Analyze your reports and CrushFTP.logs for odd activity.