CVE-2025-54309
CVE-2025-54309
In short
CrushFTP versions before 10.8.5 and 11.3.4_23 have a flaw in how they validate AS2 (a secure file transfer protocol) when the DMZ proxy feature is disabled, allowing attackers to gain administrator access over HTTPS without proper authentication.
Technical detail
CrushFTP improperly validates AS2 requests when DMZ proxy is not enabled, allowing unauthenticated remote attackers to bypass authentication mechanisms and obtain administrative privileges via HTTPS. The vulnerability affects versions 10.x before 10.8.5 and 11.x before 11.3.4_23, with active exploitation observed in July 2025.
Summary generated and translated by AI from the official description.
CrushFTP 10 before 10.8.5 and 11 before 11.3.4_23, when the DMZ proxy feature is not used, mishandles AS2 validation and consequently allows remote attackers to obtain admin access via HTTPS, as exploited in the wild in July 2025.
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
Affected products
CrushFTP · CrushFTPpublic PoCs found — 6
githubgithub.com/watchtowrlabs/watchTowr-vs-CrushFTP-Authentication-Bypass-CVE-2025-54309★ 28githubgithub.com/foregenix/CVE-2025-54309★ 2githubgithub.com/0xLittleSpidy/CVE-2025-54309★ 1githubgithub.com/blueisbeautiful/CVE-2025-54309★ 0githubgithub.com/whisperer1290/CVE-2025-54309__Enhanced_exploit★ 0githubgithub.com/chin-tech/CrushFTP_CVE-2025-54309★ 0⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.
Want to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
https://www.bleepingcomputer.com/news/security/crushftp-zero-day-exploited-in-attacks-to-gain-admin-access-on-servers/https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-54309https://www.crushftp.com/crush11wiki/Wiki.jsp?page=CompromiseJuly2025https://www.rapid7.com/blog/post/crushftp-zero-day-exploited-in-the-wild/https://www.vicarius.io/vsociety/posts/cve-2025-54309-detect-crushftp-vulnerabilityhttps://www.vicarius.io/vsociety/posts/cve-2025-54309-mitigate-crushftp-vulnerability