CVE-2025-54309
CrushFTP Unprotected Alternate Channel Vulnerabil - [Actively Exploited]
Description
CrushFTP 10 before 10.8.5 and 11 before 11.3.4_23, when the DMZ proxy feature is not used, mishandles AS2 validation and consequently allows remote attackers to obtain admin access via HTTPS, as exploited in the wild in July 2025.
INFO
Published Date :
July 18, 2025, 7:15 p.m.
Last Modified :
July 23, 2025, 5:51 p.m.
Source :
[email protected]
Remotely Exploitable :
Yes !
Impact Score :
5.9
Exploitability Score :
3.9
CISA KEV (Known Exploited Vulnerabilities)
For the benefit of the cybersecurity community and network defenders—and to help every organization better manage vulnerabilities and keep pace with threat activity—CISA maintains the authoritative source of vulnerabilities that have been exploited in the wild.
CrushFTP contains an unprotected alternate channel vulnerability. When the DMZ proxy feature is not used, mishandles AS2 validation and consequently allows remote attackers to obtain admin access via HTTPS.
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
https://www.crushftp.com/crush11wiki/Wiki.jsp?page=CompromiseJuly2025 ; https://nvd.nist.gov/vuln/detail/CVE-2025-54309
Public PoC/Exploit Available at Github
CVE-2025-54309 has a 4 public PoC/Exploit available at Github.
Go to the Public Exploits tab to see the list.
References to Advisories, Solutions, and Tools
Here, you will find a curated list of external links that provide in-depth
information, practical solutions, and valuable tools related to
CVE-2025-54309.
| URL | Resource |
|---|---|
| https://www.bleepingcomputer.com/news/security/crushftp-zero-day-exploited-in-attacks-to-gain-admin-access-on-servers/ | Press/Media Coverage |
| https://www.crushftp.com/crush11wiki/Wiki.jsp?page=CompromiseJuly2025 | Third Party Advisory |
| https://www.rapid7.com/blog/post/crushftp-zero-day-exploited-in-the-wild/ | Press/Media Coverage |
We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).
CrushFTP Unauthenticated Remote Command Execution Exploit
Python
None
Python
CISA Bot is a GitHub bot that automatically monitors the Cybersecurity and Infrastructure Security Agency (CISA) Known Exploited Vulnerabilities (KEV) Catalog. When new vulnerabilities are published in the KEV, the bot creates GitHub issues in this repository with detailed information about each vulnerability.
Python
📡 PoC auto collect from GitHub. ⚠️ Be careful Malware.
security cve exploit poc vulnerability
Results are limited to the first 15 repositories due to potential performance issues.
The following list is the news that have been mention
CVE-2025-54309 vulnerability anywhere in the article.
-
CybersecurityNews
Critical CrushFTP 0-Day RCE Vulnerability Technical Details and PoC Released
A significant zero-day vulnerability in CrushFTP has been disclosed, allowing unauthenticated attackers to achieve complete remote code execution on vulnerable servers. The flaw, tracked as CVE-2025-5 ... Read more
-
Help Net Security
Week in review: Microsoft SharePoint servers under attack, landing your first cybersecurity job
Here’s an overview of some of last week’s most interesting news, articles, interviews and videos: Microsoft pins on-prem SharePoint attacks on Chinese threat actors As Microsoft continues to update it ... Read more
-
The Cyber Express
Starlink Outage Sparks Cyberattack Speculation—But SpaceX Says Software to Blame
SpaceX’s Starlink internet service suffered a major international outage, disconnecting tens of thousands of users for over two hours. The Starlink outage began around 3 p.m. Eastern Time (19:00 GMT), ... Read more
-
Daily CyberSecurity
CISA Alert: Actively Exploited Zero-Days in CrushFTP, Chrome, and SysAid Added to KEV Catalog
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has updated its Known Exploited Vulnerabilities (KEV) Catalog with four new entries that are currently under active exploitation. These ... Read more
-
Help Net Security
Microsoft pins on-prem SharePoint attacks on Chinese threat actors
As Microsoft continues to update its customer guidance for protecting on-prem SharePoint servers against the latest in-the-wild attacks, more security firms have begun sharing details about the ones t ... Read more
-
security.nl
Ruim elfhonderd CrushFTP-servers missen update voor aangevallen lek
Ruim elfhonderd CrushFTP-servers missen een kritieke beveiligingsupdate voor een actief aangevallen kwetsbaarheid. Veertig van de kwetsbare servers staan in Nederland, aldus The Shadowserver Foundatio ... Read more
-
The Cyber Express
Debug Code in ExpressVPN Windows App Caused IP Leak via RDP Port
ExpressVPN has alerted users of a security issue in its Windows application that allowed certain Remote Desktop Protocol (RDP) traffic to bypass the VPN tunnel, potentially exposing users’ IP addresse ... Read more
-
Help Net Security
Critical CrushFTP vulnerability exploited. Have you been targeted? (CVE-2025-54309)
Unknown attackers have exploited a vulnerability (CVE-2025‑54309) in the CrushFTP enterprise file-transfer server solution to gain administrative access to vulnerable deployments. It’s currently uncle ... Read more
-
BleepingComputer
Over 1,000 CrushFTP servers exposed to ongoing hijack attacks
Over 1,000 CrushFTP instances currently exposed online are vulnerable to hijack attacks that exploit a critical security bug, providing admin access to the web interface. The security vulnerability (C ... Read more
-
The Cyber Express
CrushFTP Servers Hit by Critical Zero-Day Vulnerability CVE-2025-54309
A new zero-day vulnerability in CrushFTP file transfer servers is being actively exploited by cybercriminals, compromising systems around the world. Tracked as CVE-2025-54309, the CrushFTP zero-day vu ... Read more
-
security.nl
CrushFTP meldt actief misbruik van kritiek beveiligingslek
De makers van ftp-serversoftware CrushFTP waarschuwen voor actief misbruik van een kritieke kwetsbaarheid waardoor aanvallers op afstand toegang tot kwetsbare servers kunnen krijgen. Misbruik is sinds ... Read more
-
CybersecurityNews
Weekly Cybersecurity Newsletter: Chrome 0-Day, VMware Flaws Patched, Fortiweb Hack, Teams Abuse, and More
It’s been a busy seven days for security alerts. Google is addressing another actively exploited zero-day in Chrome, and VMware has rolled out key patches for its own set of vulnerabilities. We’ll als ... Read more
-
The Hacker News
Hackers Exploit Critical CrushFTP Flaw to Gain Admin Access on Unpatched Servers
Jul 20, 2025Ravie LakshmananVulnerability / Threat Intelligence A newly disclosed critical security flaw in CrushFTP has come under active exploitation in the wild. Assigned the CVE identifier CVE-2 ... Read more
-
CybersecurityNews
New CrushFTP 0-Day Vulnerability Exploited in the Wild to Gain Access to Servers
A critical zero-day flaw in the CrushFTP managed file-transfer platform was confirmed after vendor and threat-intelligence sources confirmed active exploitation beginning on 18 July 2025 at 09:00 CST. ... Read more
-
Daily CyberSecurity
FortiWeb SQL Injection (CVE-2025-25257) Added to CISA KEV After Active Exploitation, PoC Available!
A critical SQL injection vulnerability in Fortinet FortiWeb, tracked as CVE-2025-25257, has been added to the CISA Known Exploited Vulnerabilities (KEV) Catalog following confirmation of active exploi ... Read more
-
Daily CyberSecurity
CVE-2025-54309: CrushFTP Targeted in Active Exploits Due to Unpatched Zero-Day Vulnerability
CrushFTP, a widely used secure file transfer server, has issued an urgent advisory regarding a critical zero-day vulnerability, tracked as CVE-2025-54309 (CVSS 9.0), that has been actively exploited i ... Read more
-
Daily CyberSecurity
CVE-2025-4660 (CVSS 8.7) in Forescout SecureConnector Allows Remote Endpoint Hijack, PoC Publishes
NetSPI has uncovered a critical vulnerability in Forescout SecureConnector, a security agent meant to enforce endpoint compliance. This same tool—designed for system hardening—could be abused by attac ... Read more
-
BleepingComputer
New CrushFTP zero-day exploited in attacks to hijack servers
CrushFTP is warning that threat actors are actively exploiting a zero-day vulnerability tracked as CVE-2025-54309, which allows attackers to gain administrative access via the web interface on vulnera ... Read more
-
BleepingComputer
CrushFTP zero-day exploited in attacks to gain admin access on servers
CrushFTP is warning that threat actors are actively exploiting a zero-day vulnerability tracked as CVE-2025-54309, which allows attackers to gain administrative access via the web interface on vulnera ... Read more
The following table lists the changes that have been made to the
CVE-2025-54309 vulnerability over time.
Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.
-
Initial Analysis by [email protected]
Jul. 23, 2025
Action Type Old Value New Value Added CVSS V3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Added CPE Configuration OR *cpe:2.3:a:crushftp:crushftp:*:*:*:*:*:*:*:* versions from (including) 10.0.0 up to (excluding) 10.8.5 *cpe:2.3:a:crushftp:crushftp:*:*:*:*:*:*:*:* versions from (including) 11.0.0 up to (excluding) 11.3.4_23 Added Reference Type MITRE: https://www.bleepingcomputer.com/news/security/crushftp-zero-day-exploited-in-attacks-to-gain-admin-access-on-servers/ Types: Press/Media Coverage Added Reference Type MITRE: https://www.crushftp.com/crush11wiki/Wiki.jsp?page=CompromiseJuly2025 Types: Third Party Advisory Added Reference Type MITRE: https://www.rapid7.com/blog/post/crushftp-zero-day-exploited-in-the-wild/ Types: Press/Media Coverage -
CVE CISA KEV Update by 9119a7d8-5eab-497f-8521-727c672e3725
Jul. 23, 2025
Action Type Old Value New Value Added Vulnerability Name CrushFTP Unprotected Alternate Channel Vulnerability Added Date Added 2025-07-22 Added Due Date 2025-08-12 Added Required Action Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. -
CVE Modified by [email protected]
Jul. 19, 2025
Action Type Old Value New Value Added Reference https://www.bleepingcomputer.com/news/security/crushftp-zero-day-exploited-in-attacks-to-gain-admin-access-on-servers/ Added Reference https://www.rapid7.com/blog/post/crushftp-zero-day-exploited-in-the-wild/ -
New CVE Received by [email protected]
Jul. 18, 2025
Action Type Old Value New Value Added Description CrushFTP 10 before 10.8.5 and 11 before 11.3.4_23, when the DMZ proxy feature is not used, mishandles AS2 validation and consequently allows remote attackers to obtain admin access via HTTPS, as exploited in the wild in July 2025. Added CVSS V3.1 AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H Added CWE CWE-420 Added Reference https://www.crushftp.com/crush11wiki/Wiki.jsp?page=CompromiseJuly2025
CWE - Common Weakness Enumeration
While CVE identifies
specific instances of vulnerabilities, CWE categorizes the common flaws or
weaknesses that can lead to vulnerabilities. CVE-2025-54309 is
associated with the following CWEs:
Common Attack Pattern Enumeration and Classification (CAPEC)
Common Attack Pattern Enumeration and Classification
(CAPEC)
stores attack patterns, which are descriptions of the common attributes and
approaches employed by adversaries to exploit the CVE-2025-54309
weaknesses.