CVE-2025-54309
📋 TL;DR
This vulnerability in CrushFTP allows remote attackers to bypass AS2 validation and gain administrative access via HTTPS when the DMZ proxy feature is not used. It affects CrushFTP servers running vulnerable versions and has been actively exploited in the wild since July 2025.
💻 Affected Systems
- CrushFTP
📦 What is this software?
Crushftp by Crushftp
Crushftp by Crushftp
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of the CrushFTP server with administrative privileges, enabling data theft, lateral movement, and persistent backdoor installation.
Likely Case
Attackers gain admin access to the FTP server, allowing them to exfiltrate sensitive files, modify configurations, and deploy malware.
If Mitigated
Limited impact if proper network segmentation and access controls prevent lateral movement from the compromised FTP server.
🎯 Exploit Status
Actively exploited in the wild since July 2025. Exploitation requires HTTPS access to the CrushFTP server.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: CrushFTP 10.8.5 or CrushFTP 11.3.4_23
Vendor Advisory: https://www.crushftp.com/crush11wiki/Wiki.jsp?page=CompromiseJuly2025
Restart Required: Yes
Instructions:
1. Download the patched version from CrushFTP website. 2. Stop the CrushFTP service. 3. Install the update. 4. Restart the CrushFTP service.
🔧 Temporary Workarounds
Enable DMZ Proxy Feature
allEnabling the DMZ proxy feature mitigates the vulnerability as it's only exploitable when DMZ proxy is not used.
Configure DMZ proxy in CrushFTP admin interface: Admin → Server Settings → DMZ Proxy → Enable
🧯 If You Can't Patch
- Enable DMZ proxy feature immediately as temporary mitigation
- Restrict network access to CrushFTP server using firewall rules to only trusted IP addresses
🔍 How to Verify
Check if Vulnerable:
Check CrushFTP version in admin interface or via system logs. Versions 10.x before 10.8.5 and 11.x before 11.3.4_23 are vulnerable.Check Version:
Check CrushFTP admin interface or logs for version informationVerify Fix Applied:
Verify version is 10.8.5 or higher for v10, or 11.3.4_23 or higher for v11. Test admin access controls.📡 Detection & Monitoring
Log Indicators:
- Unexpected admin login events
- AS2 validation failures
- Configuration changes from unknown IPs
Network Indicators:
- HTTPS requests to CrushFTP admin endpoints from unusual sources
- Unusual file transfer patterns
SIEM Query:
source="crushftp.log" AND (event="admin_login" OR event="as2_validation") AND result="success" AND src_ip NOT IN [trusted_ips]🔗 References
- https://www.bleepingcomputer.com/news/security/crushftp-zero-day-exploited-in-attacks-to-gain-admin-access-on-servers/
- https://www.crushftp.com/crush11wiki/Wiki.jsp?page=CompromiseJuly2025
- https://www.rapid7.com/blog/post/crushftp-zero-day-exploited-in-the-wild/
- https://www.vicarius.io/vsociety/posts/cve-2025-54309-detect-crushftp-vulnerability
- https://www.vicarius.io/vsociety/posts/cve-2025-54309-mitigate-crushftp-vulnerability
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-54309
