CVE-2025-63420 – CVE-2025-63420 is a stored HTML injection vulne... (How to Fix)

Q: What is the severity of CVE-2025-63420?

CVE-2025-63420 has a CVSS score of 4.1 (MEDIUM). CVE-2025-63420 is a stored HTML injection vulnerability in CrushFTP11's admin panel that allows attackers to inject malicious HTML into the 'Who Created Folder' report. This enables persistent HTML execution when administrators view the report, potentially leading to session hijacking or phishing attacks. Only CrushFTP11 installations with admin panel access are affected.

📋 TL;DR

CVE-2025-63420 is a stored HTML injection vulnerability in CrushFTP11's admin panel that allows attackers to inject malicious HTML into the 'Who Created Folder' report. This enables persistent HTML execution when administrators view the report, potentially leading to session hijacking or phishing attacks. Only CrushFTP11 installations with admin panel access are affected.

💻 Affected Systems

Products:

CrushFTP11

Versions: All versions before 11.3.7_57

Operating Systems: All platforms running CrushFTP11

Default Config Vulnerable: ⚠️ Yes

Notes: Requires access to the CrushFTP Admin Panel to exploit the Reports feature.

📦 What is this software?

Crushftp by Crushftp

View all CVEs affecting Crushftp →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Administrator session hijacking leading to full system compromise, data theft, or ransomware deployment through social engineering attacks.

🟠

Likely Case

Session hijacking or credential theft via phishing pages displayed to administrators viewing the malicious report.

🟢

If Mitigated

Limited impact with proper input validation and output encoding preventing HTML execution.

🌐 Internet-Facing: MEDIUM - Exploitation requires admin panel access, but internet-facing instances increase attack surface.

🏢 Internal Only: MEDIUM - Internal attackers with access to the admin panel could exploit this vulnerability.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access to the admin panel. Public proof-of-concept demonstrates HTML injection.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 11.3.7_57

Vendor Advisory: https://www.crushftp.com/

Restart Required: Yes

Instructions:

1. Download CrushFTP11 version 11.3.7_57 or later from the official vendor site. 2. Backup current configuration and data. 3. Stop the CrushFTP service. 4. Install the updated version. 5. Restart the CrushFTP service.

🔧 Temporary Workarounds

Disable Reports Feature

all

Temporarily disable the Reports feature in the admin panel to prevent exploitation.

Navigate to Admin Panel > Settings > Reports and disable 'Who Created Folder' reporting

Restrict Admin Panel Access

all

Limit access to the admin panel to trusted IP addresses only.

Configure firewall rules to restrict access to CrushFTP admin panel port (default 8080)

🧯 If You Can't Patch

Implement strict input validation and output encoding for all user inputs in the Reports feature.
Monitor admin panel access logs for suspicious activity and implement multi-factor authentication for admin accounts.

🔍 How to Verify

Check if Vulnerable:

Check CrushFTP version in admin panel or via command line: java -jar CrushFTP.jar --version

Check Version:

java -jar CrushFTP.jar --version

Verify Fix Applied:

Verify version is 11.3.7_57 or later and test the 'Who Created Folder' report for HTML injection.

📡 Detection & Monitoring

Log Indicators:

Unusual HTML content in report entries
Multiple failed login attempts to admin panel
Suspicious admin session activity

Network Indicators:

Unusual traffic patterns to admin panel port
Requests containing HTML injection payloads

SIEM Query:

source="crushftp.log" AND ("Who Created Folder" OR "report" AND "<script>" OR "javascript:")

📊 Metadata

CVE ID: CVE-2025-63420

CVSS v3 Score: 4.1 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:N

CWE: CWE-79

EPSS Score: 0.05% exploit probability (15.3th percentile)

Published: November 7, 2025

Last Updated: February 5, 2026

🔗 References

https://gist.github.com/MMAKINGDOM/791d264c27656f0a4aa3c0ae35075e70 Exploit,Third Party Advisory
https://github.com/MMAKINGDOM/CVE-2025-63420/ Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-63420, you might also want to check these: