CRUSHFTP , a Java-based open source file transfer system available for multiple operating systems, is the focus of recent brute-force scanning activity rather than a targeted exploit of a particular vulnerability. The diary notes that previous flaws have included CVE-2024-4040, CVE-2025-31161 and the July 2025 zero-day CVE-2025-54309, but current attempts are simply brute-forcing lazy configurations.
The attackers are attempting login via POST requests that pass the username and password as GET parameters, with an empty body, such as a login attempt using crushadmin as both username and password. The piece highlights that CrushFTP setups require an admin user during configuration and that, while the username is not fixed, crushadmin, along with root and admin, are among the suggested options for an account.
These attacks are traced to 5.189.139[.]225, a French IP address described as history of exploit attempts targeting simple vulnerabilities, active since around February.