A zero-day vulnerability (CVE-2025-54309) in CrushFTP, an enterprise file transfer server, is being actively exploited by attackers to gain admin access via the web interface. The issue affects versions released before July 1, 2025, and is patched in v10.8.5 and v11.3.4_23. The attack targets outdated servers and modifies default user configurations. CrushFTP urges immediate patching, log reviews, and enhanced access controls. While a prior unrelated fix inadvertently blocked the flaw, systems not updated remain at risk. The attack vector is via HTTP(S).