CrushFTP, a Java-based file transfer system, is currently under attack from brute-force scans, posing a significant threat to its users. The system, which is available on multiple operating systems, has a history of vulnerabilities, including CVE-2024-4040, a template-injection flaw that allowed unauthenticated attackers to escape the VFS sandbox and achieve remote code execution. Other notable vulnerabilities include CVE-2025-31161, an authentication bypass that granted access to the crushadmin account, and CVE-2025-54309, a zero-day exploit that was actively exploited in the wild in July 2025. Although the current attacks are not exploiting a specific vulnerability, they still pose a significant risk to users. The fact that attackers are targeting CrushFTP instances suggests that they are attempting to capitalize on any potential weaknesses or misconfigurations. The disclosure of CVE-2024-4040 has expanded the active attack surface, making it essential for users to prioritize their exposure and exploitation evidence1. This emphasizes the need for users to take proactive measures to secure their CrushFTP instances, such as implementing robust authentication and monitoring for suspicious activity. So what matters to practitioners is that they must reevaluate their CrushFTP security posture to prevent potential breaches.