Known Exploited Vulnerability
9.8
CRITICAL
CVE-2025-54309
CrushFTP Unprotected Alternate Channel Vulnerabil - [Actively Exploited]
Description

CrushFTP 10 before 10.8.5 and 11 before 11.3.4_23, when the DMZ proxy feature is not used, mishandles AS2 validation and consequently allows remote attackers to obtain admin access via HTTPS, as exploited in the wild in July 2025.

INFO

Published Date :

July 18, 2025, 7:15 p.m.

Last Modified :

July 23, 2025, 5:51 p.m.

Remotely Exploitable :

Yes !

Impact Score :

5.9

Exploitability Score :

3.9
CISA Notification
CISA KEV (Known Exploited Vulnerabilities)

For the benefit of the cybersecurity community and network defenders—and to help every organization better manage vulnerabilities and keep pace with threat activity—CISA maintains the authoritative source of vulnerabilities that have been exploited in the wild.

Description :

CrushFTP contains an unprotected alternate channel vulnerability. When the DMZ proxy feature is not used, mishandles AS2 validation and consequently allows remote attackers to obtain admin access via HTTPS.

Required Action :

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Notes :

https://www.crushftp.com/crush11wiki/Wiki.jsp?page=CompromiseJuly2025 ; https://nvd.nist.gov/vuln/detail/CVE-2025-54309

Public PoC/Exploit Available at Github

CVE-2025-54309 has a 4 public PoC/Exploit available at Github. Go to the Public Exploits tab to see the list.

Affected Products

The following products are affected by CVE-2025-54309 vulnerability. Even if cvefeed.io is aware of the exact versions of the products that are affected, the information is not represented in the table below.

ID Vendor Product Action
1 Crushftp crushftp
References to Advisories, Solutions, and Tools

Here, you will find a curated list of external links that provide in-depth information, practical solutions, and valuable tools related to CVE-2025-54309.

URL Resource
https://www.bleepingcomputer.com/news/security/crushftp-zero-day-exploited-in-attacks-to-gain-admin-access-on-servers/ Press/Media Coverage
https://www.crushftp.com/crush11wiki/Wiki.jsp?page=CompromiseJuly2025 Third Party Advisory
https://www.rapid7.com/blog/post/crushftp-zero-day-exploited-in-the-wild/ Press/Media Coverage

We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).

CrushFTP Unauthenticated Remote Command Execution Exploit

Python

Updated: 1 week, 5 days ago
1 stars 0 fork 0 watcher
Born at : July 26, 2025, 2:51 p.m. This repo has been linked 1 different CVEs too.

None

Python

Updated: 16 hours, 22 minutes ago
0 stars 0 fork 0 watcher
Born at : Oct. 29, 2024, 8:10 p.m. This repo has been linked 10 different CVEs too.

CISA Bot is a GitHub bot that automatically monitors the Cybersecurity and Infrastructure Security Agency (CISA) Known Exploited Vulnerabilities (KEV) Catalog. When new vulnerabilities are published in the KEV, the bot creates GitHub issues in this repository with detailed information about each vulnerability.

Python

Updated: 4 days, 11 hours ago
2 stars 1 fork 1 watcher
Born at : Oct. 29, 2024, 10:19 a.m. This repo has been linked 194 different CVEs too.

📡 PoC auto collect from GitHub. ⚠️ Be careful Malware.

security cve exploit poc vulnerability

Updated: 17 hours, 56 minutes ago
7156 stars 1194 fork 1194 watcher
Born at : Dec. 8, 2019, 1:03 p.m. This repo has been linked 813 different CVEs too.

Results are limited to the first 15 repositories due to potential performance issues.

The following list is the news that have been mention CVE-2025-54309 vulnerability anywhere in the article.

  • CybersecurityNews
Critical CrushFTP 0-Day RCE Vulnerability Technical Details and PoC Released

A significant zero-day vulnerability in CrushFTP has been disclosed, allowing unauthenticated attackers to achieve complete remote code execution on vulnerable servers. The flaw, tracked as CVE-2025-5 ... Read more

Published Date: Jul 31, 2025 (1 week, 2 days ago)
  • Help Net Security
Week in review: Microsoft SharePoint servers under attack, landing your first cybersecurity job

Here’s an overview of some of last week’s most interesting news, articles, interviews and videos: Microsoft pins on-prem SharePoint attacks on Chinese threat actors As Microsoft continues to update it ... Read more

Published Date: Jul 27, 2025 (1 week, 6 days ago)
  • The Cyber Express
Starlink Outage Sparks Cyberattack Speculation—But SpaceX Says Software to Blame

SpaceX’s Starlink internet service suffered a major international outage, disconnecting tens of thousands of users for over two hours. The Starlink outage began around 3 p.m. Eastern Time (19:00 GMT), ... Read more

Published Date: Jul 25, 2025 (2 weeks, 2 days ago)
  • Daily CyberSecurity
CISA Alert: Actively Exploited Zero-Days in CrushFTP, Chrome, and SysAid Added to KEV Catalog

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has updated its Known Exploited Vulnerabilities (KEV) Catalog with four new entries that are currently under active exploitation. These ... Read more

Published Date: Jul 23, 2025 (2 weeks, 4 days ago)
  • Help Net Security
Microsoft pins on-prem SharePoint attacks on Chinese threat actors

As Microsoft continues to update its customer guidance for protecting on-prem SharePoint servers against the latest in-the-wild attacks, more security firms have begun sharing details about the ones t ... Read more

Published Date: Jul 22, 2025 (2 weeks, 4 days ago)
  • security.nl
Ruim elfhonderd CrushFTP-servers missen update voor aangevallen lek

Ruim elfhonderd CrushFTP-servers missen een kritieke beveiligingsupdate voor een actief aangevallen kwetsbaarheid. Veertig van de kwetsbare servers staan in Nederland, aldus The Shadowserver Foundatio ... Read more

Published Date: Jul 22, 2025 (2 weeks, 4 days ago)
  • The Cyber Express
Debug Code in ExpressVPN Windows App Caused IP Leak via RDP Port

ExpressVPN has alerted users of a security issue in its Windows application that allowed certain Remote Desktop Protocol (RDP) traffic to bypass the VPN tunnel, potentially exposing users’ IP addresse ... Read more

Published Date: Jul 22, 2025 (2 weeks, 4 days ago)
  • Help Net Security
Critical CrushFTP vulnerability exploited. Have you been targeted? (CVE-2025-54309)

Unknown attackers have exploited a vulnerability (CVE-2025‑54309) in the CrushFTP enterprise file-transfer server solution to gain administrative access to vulnerable deployments. It’s currently uncle ... Read more

Published Date: Jul 21, 2025 (2 weeks, 5 days ago)
  • BleepingComputer
Over 1,000 CrushFTP servers exposed to ongoing hijack attacks

Over 1,000 CrushFTP instances currently exposed online are vulnerable to hijack attacks that exploit a critical security bug, providing admin access to the web interface. The security vulnerability (C ... Read more

Published Date: Jul 21, 2025 (2 weeks, 5 days ago)
  • The Cyber Express
CrushFTP Servers Hit by Critical Zero-Day Vulnerability CVE-2025-54309

A new zero-day vulnerability in CrushFTP file transfer servers is being actively exploited by cybercriminals, compromising systems around the world. Tracked as CVE-2025-54309, the CrushFTP zero-day vu ... Read more

Published Date: Jul 21, 2025 (2 weeks, 5 days ago)
  • security.nl
CrushFTP meldt actief misbruik van kritiek beveiligingslek

De makers van ftp-serversoftware CrushFTP waarschuwen voor actief misbruik van een kritieke kwetsbaarheid waardoor aanvallers op afstand toegang tot kwetsbare servers kunnen krijgen. Misbruik is sinds ... Read more

Published Date: Jul 21, 2025 (2 weeks, 5 days ago)
  • CybersecurityNews
Weekly Cybersecurity Newsletter: Chrome 0-Day, VMware Flaws Patched, Fortiweb Hack, Teams Abuse, and More

It’s been a busy seven days for security alerts. Google is addressing another actively exploited zero-day in Chrome, and VMware has rolled out key patches for its own set of vulnerabilities. We’ll als ... Read more

Published Date: Jul 20, 2025 (2 weeks, 6 days ago)
  • The Hacker News
Hackers Exploit Critical CrushFTP Flaw to Gain Admin Access on Unpatched Servers

Jul 20, 2025Ravie LakshmananVulnerability / Threat Intelligence A newly disclosed critical security flaw in CrushFTP has come under active exploitation in the wild. Assigned the CVE identifier CVE-2 ... Read more

Published Date: Jul 20, 2025 (2 weeks, 6 days ago)
  • CybersecurityNews
New CrushFTP 0-Day Vulnerability Exploited in the Wild to Gain Access to Servers

A critical zero-day flaw in the CrushFTP managed file-transfer platform was confirmed after vendor and threat-intelligence sources confirmed active exploitation beginning on 18 July 2025 at 09:00 CST. ... Read more

Published Date: Jul 19, 2025 (3 weeks ago)
  • Daily CyberSecurity
FortiWeb SQL Injection (CVE-2025-25257) Added to CISA KEV After Active Exploitation, PoC Available!

A critical SQL injection vulnerability in Fortinet FortiWeb, tracked as CVE-2025-25257, has been added to the CISA Known Exploited Vulnerabilities (KEV) Catalog following confirmation of active exploi ... Read more

Published Date: Jul 19, 2025 (3 weeks, 1 day ago)
  • Daily CyberSecurity
CVE-2025-54309: CrushFTP Targeted in Active Exploits Due to Unpatched Zero-Day Vulnerability

CrushFTP, a widely used secure file transfer server, has issued an urgent advisory regarding a critical zero-day vulnerability, tracked as CVE-2025-54309 (CVSS 9.0), that has been actively exploited i ... Read more

Published Date: Jul 19, 2025 (3 weeks, 1 day ago)
  • Daily CyberSecurity
CVE-2025-4660 (CVSS 8.7) in Forescout SecureConnector Allows Remote Endpoint Hijack, PoC Publishes

NetSPI has uncovered a critical vulnerability in Forescout SecureConnector, a security agent meant to enforce endpoint compliance. This same tool—designed for system hardening—could be abused by attac ... Read more

Published Date: Jul 19, 2025 (3 weeks, 1 day ago)
  • BleepingComputer
New CrushFTP zero-day exploited in attacks to hijack servers

CrushFTP is warning that threat actors are actively exploiting a zero-day vulnerability tracked as CVE-2025-54309, which allows attackers to gain administrative access via the web interface on vulnera ... Read more

Published Date: Jul 18, 2025 (3 weeks, 1 day ago)
  • BleepingComputer
CrushFTP zero-day exploited in attacks to gain admin access on servers

CrushFTP is warning that threat actors are actively exploiting a zero-day vulnerability tracked as CVE-2025-54309, which allows attackers to gain administrative access via the web interface on vulnera ... Read more

Published Date: Jul 18, 2025 (3 weeks, 1 day ago)

The following table lists the changes that have been made to the CVE-2025-54309 vulnerability over time.

Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.

  • Initial Analysis by [email protected]

    Jul. 23, 2025

    Action Type Old Value New Value
    Added CVSS V3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    Added CPE Configuration OR *cpe:2.3:a:crushftp:crushftp:*:*:*:*:*:*:*:* versions from (including) 10.0.0 up to (excluding) 10.8.5 *cpe:2.3:a:crushftp:crushftp:*:*:*:*:*:*:*:* versions from (including) 11.0.0 up to (excluding) 11.3.4_23
    Added Reference Type MITRE: https://www.bleepingcomputer.com/news/security/crushftp-zero-day-exploited-in-attacks-to-gain-admin-access-on-servers/ Types: Press/Media Coverage
    Added Reference Type MITRE: https://www.crushftp.com/crush11wiki/Wiki.jsp?page=CompromiseJuly2025 Types: Third Party Advisory
    Added Reference Type MITRE: https://www.rapid7.com/blog/post/crushftp-zero-day-exploited-in-the-wild/ Types: Press/Media Coverage
  • CVE CISA KEV Update by 9119a7d8-5eab-497f-8521-727c672e3725

    Jul. 23, 2025

    Action Type Old Value New Value
    Added Vulnerability Name CrushFTP Unprotected Alternate Channel Vulnerability
    Added Date Added 2025-07-22
    Added Due Date 2025-08-12
    Added Required Action Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
  • CVE Modified by [email protected]

    Jul. 19, 2025

    Action Type Old Value New Value
    Added Reference https://www.bleepingcomputer.com/news/security/crushftp-zero-day-exploited-in-attacks-to-gain-admin-access-on-servers/
    Added Reference https://www.rapid7.com/blog/post/crushftp-zero-day-exploited-in-the-wild/
  • New CVE Received by [email protected]

    Jul. 18, 2025

    Action Type Old Value New Value
    Added Description CrushFTP 10 before 10.8.5 and 11 before 11.3.4_23, when the DMZ proxy feature is not used, mishandles AS2 validation and consequently allows remote attackers to obtain admin access via HTTPS, as exploited in the wild in July 2025.
    Added CVSS V3.1 AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
    Added CWE CWE-420
    Added Reference https://www.crushftp.com/crush11wiki/Wiki.jsp?page=CompromiseJuly2025
EPSS is a daily estimate of the probability of exploitation activity being observed over the next 30 days. Following chart shows the EPSS score history of the vulnerability.
CWE - Common Weakness Enumeration

While CVE identifies specific instances of vulnerabilities, CWE categorizes the common flaws or weaknesses that can lead to vulnerabilities. CVE-2025-54309 is associated with the following CWEs:

Common Attack Pattern Enumeration and Classification (CAPEC)

Common Attack Pattern Enumeration and Classification (CAPEC) stores attack patterns, which are descriptions of the common attributes and approaches employed by adversaries to exploit the CVE-2025-54309 weaknesses.

CVSS31 - Vulnerability Scoring System
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability