Known Exploited Vulnerability
9.8
CRITICAL CVSS 3.1
CVE-2025-54309
CrushFTP Unprotected Alternate Channel Vulnerability - [Actively Exploited]
Description

CrushFTP 10 before 10.8.5 and 11 before 11.3.4_23, when the DMZ proxy feature is not used, mishandles AS2 validation and consequently allows remote attackers to obtain admin access via HTTPS, as exploited in the wild in July 2025.

INFO

Published Date :

July 18, 2025, 7:15 p.m.

Last Modified :

July 23, 2025, 5:51 p.m.

Remotely Exploit :

Yes !
CISA Notification
CISA KEV (Known Exploited Vulnerabilities)

For the benefit of the cybersecurity community and network defenders—and to help every organization better manage vulnerabilities and keep pace with threat activity—CISA maintains the authoritative source of vulnerabilities that have been exploited in the wild.

Description :

CrushFTP contains an unprotected alternate channel vulnerability. When the DMZ proxy feature is not used, mishandles AS2 validation and consequently allows remote attackers to obtain admin access via HTTPS.

Required Action :

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Notes :

https://www.crushftp.com/crush11wiki/Wiki.jsp?page=CompromiseJuly2025 ; https://nvd.nist.gov/vuln/detail/CVE-2025-54309

Affected Products

The following products are affected by CVE-2025-54309 vulnerability. Even if cvefeed.io is aware of the exact versions of the products that are affected, the information is not represented in the table below.

ID Vendor Product Action
1 Crushftp crushftp
CVSS Scores
The Common Vulnerability Scoring System is a standardized framework for assessing the severity of vulnerabilities in software and systems. We collect and displays CVSS scores from various sources for each CVE.
Score Version Severity Vector Exploitability Score Impact Score Source
CVSS 3.1 CRITICAL [email protected]
CVSS 3.1 CRITICAL [email protected]
Solution
Update CrushFTP to a version that addresses AS2 validation issues.
  • Update CrushFTP to version 10.8.5 or later.
  • Update CrushFTP to version 11.3.4_23 or later.
  • Ensure the DMZ proxy feature is configured if not updating.
Public PoC/Exploit Available at Github

CVE-2025-54309 has a 6 public PoC/Exploit available at Github. Go to the Public Exploits tab to see the list.

References to Advisories, Solutions, and Tools

Here, you will find a curated list of external links that provide in-depth information, practical solutions, and valuable tools related to CVE-2025-54309.

URL Resource
https://www.bleepingcomputer.com/news/security/crushftp-zero-day-exploited-in-attacks-to-gain-admin-access-on-servers/ Press/Media Coverage
https://www.crushftp.com/crush11wiki/Wiki.jsp?page=CompromiseJuly2025 Third Party Advisory
https://www.rapid7.com/blog/post/crushftp-zero-day-exploited-in-the-wild/ Press/Media Coverage
CWE - Common Weakness Enumeration

While CVE identifies specific instances of vulnerabilities, CWE categorizes the common flaws or weaknesses that can lead to vulnerabilities. CVE-2025-54309 is associated with the following CWEs:

Common Attack Pattern Enumeration and Classification (CAPEC)

Common Attack Pattern Enumeration and Classification (CAPEC) stores attack patterns, which are descriptions of the common attributes and approaches employed by adversaries to exploit the CVE-2025-54309 weaknesses.

We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).

CrushFTP AS2 Authentication Bypass

Updated: 1 day, 7 hours ago
0 stars 0 fork 0 watcher
Born at : Aug. 29, 2025, 3:05 a.m. This repo has been linked 1 different CVEs too.

None

Python

Updated: 1 day, 11 hours ago
10 stars 1 fork 1 watcher
Born at : Aug. 25, 2025, 3:07 a.m. This repo has been linked 1 different CVEs too.

CrushFTP Unauthenticated Remote Command Execution Exploit

Python

Updated: 1 month ago
1 stars 0 fork 0 watcher
Born at : July 26, 2025, 2:51 p.m. This repo has been linked 1 different CVEs too.

None

Updated: 1 day, 2 hours ago
0 stars 0 fork 0 watcher
Born at : March 21, 2025, 1:11 p.m. This repo has been linked 1 different CVEs too.

CISA Bot is a GitHub bot that automatically monitors the Cybersecurity and Infrastructure Security Agency (CISA) Known Exploited Vulnerabilities (KEV) Catalog. When new vulnerabilities are published in the KEV, the bot creates GitHub issues in this repository with detailed information about each vulnerability.

Python

Updated: 3 days, 8 hours ago
2 stars 1 fork 1 watcher
Born at : Oct. 29, 2024, 10:19 a.m. This repo has been linked 205 different CVEs too.

📡 PoC auto collect from GitHub. ⚠️ Be careful Malware.

security cve exploit poc vulnerability

Updated: 1 day, 14 hours ago
7229 stars 1202 fork 1202 watcher
Born at : Dec. 8, 2019, 1:03 p.m. This repo has been linked 802 different CVEs too.

Results are limited to the first 15 repositories due to potential performance issues.

The following list is the news that have been mention CVE-2025-54309 vulnerability anywhere in the article.

  • CybersecurityNews
CISA Warns of Citrix Netscaler 0-day RCE Vulnerability Exploited in Attacks

CISA has issued an urgent warning regarding a critical zero-day vulnerability affecting Citrix NetScaler systems, designated as CVE-2025-7775. This memory overflow vulnerability enables remote code ex ... Read more

Published Date: Aug 28, 2025 (2 days, 4 hours ago)
  • CybersecurityNews
28,000+ Citrix Servers Exposed to Active 0-Day RCE Vulnerability Exploited in the Wild

A critical zero-day remote code execution (RCE) vulnerability, tracked as CVE-2025-7775, is affecting over 28,000 Citrix instances worldwide. The flaw is being actively exploited in the wild, promptin ... Read more

Published Date: Aug 27, 2025 (2 days, 16 hours ago)
  • CybersecurityNews
PoC Exploit Released for CrushFTP 0-day Vulnerability (CVE-2025-54309)

A weaponized proof-of-concept exploit has been publicly released targeting CVE-2025-54309, a severe authentication bypass vulnerability affecting CrushFTP file transfer servers. The flaw enables remot ... Read more

Published Date: Aug 27, 2025 (2 days, 16 hours ago)
  • CybersecurityNews
IPFire Web-Based Firewall Interface Allows Authenticated Administrator to Inject Persistent JavaScript

A stored cross-site scripting (XSS) flaw identified in IPFire 2.29’s web-based firewall interface (firewall.cgi). Tracked as CVE-2025-50975, the vulnerability allows any authenticated administrator to ... Read more

Published Date: Aug 27, 2025 (2 days, 17 hours ago)
  • CybersecurityNews
NVIDIA NeMo AI Curator Enables Code Execution and Privilege Escalation

NVIDIA has issued a critical security bulletin addressing a high-severity vulnerability in its NeMo Curator platform that could allow attackers to execute malicious code and escalate privileges on aff ... Read more

Published Date: Aug 27, 2025 (2 days, 17 hours ago)
  • CybersecurityNews
Critical CrushFTP 0-Day RCE Vulnerability Technical Details and PoC Released

A significant zero-day vulnerability in CrushFTP has been disclosed, allowing unauthenticated attackers to achieve complete remote code execution on vulnerable servers. The flaw, tracked as CVE-2025-5 ... Read more

Published Date: Jul 31, 2025 (4 weeks, 2 days ago)
  • Help Net Security
Week in review: Microsoft SharePoint servers under attack, landing your first cybersecurity job

Here’s an overview of some of last week’s most interesting news, articles, interviews and videos: Microsoft pins on-prem SharePoint attacks on Chinese threat actors As Microsoft continues to update it ... Read more

Published Date: Jul 27, 2025 (1 month ago)
  • The Cyber Express
Starlink Outage Sparks Cyberattack Speculation—But SpaceX Says Software to Blame

SpaceX’s Starlink internet service suffered a major international outage, disconnecting tens of thousands of users for over two hours. The Starlink outage began around 3 p.m. Eastern Time (19:00 GMT), ... Read more

Published Date: Jul 25, 2025 (1 month ago)
  • Daily CyberSecurity
CISA Alert: Actively Exploited Zero-Days in CrushFTP, Chrome, and SysAid Added to KEV Catalog

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has updated its Known Exploited Vulnerabilities (KEV) Catalog with four new entries that are currently under active exploitation. These ... Read more

Published Date: Jul 23, 2025 (1 month, 1 week ago)
  • Help Net Security
Microsoft pins on-prem SharePoint attacks on Chinese threat actors

As Microsoft continues to update its customer guidance for protecting on-prem SharePoint servers against the latest in-the-wild attacks, more security firms have begun sharing details about the ones t ... Read more

Published Date: Jul 22, 2025 (1 month, 1 week ago)
  • security.nl
Ruim elfhonderd CrushFTP-servers missen update voor aangevallen lek

Ruim elfhonderd CrushFTP-servers missen een kritieke beveiligingsupdate voor een actief aangevallen kwetsbaarheid. Veertig van de kwetsbare servers staan in Nederland, aldus The Shadowserver Foundatio ... Read more

Published Date: Jul 22, 2025 (1 month, 1 week ago)
  • The Cyber Express
Debug Code in ExpressVPN Windows App Caused IP Leak via RDP Port

ExpressVPN has alerted users of a security issue in its Windows application that allowed certain Remote Desktop Protocol (RDP) traffic to bypass the VPN tunnel, potentially exposing users’ IP addresse ... Read more

Published Date: Jul 22, 2025 (1 month, 1 week ago)
  • Help Net Security
Critical CrushFTP vulnerability exploited. Have you been targeted? (CVE-2025-54309)

Unknown attackers have exploited a vulnerability (CVE-2025‑54309) in the CrushFTP enterprise file-transfer server solution to gain administrative access to vulnerable deployments. It’s currently uncle ... Read more

Published Date: Jul 21, 2025 (1 month, 1 week ago)
  • BleepingComputer
Over 1,000 CrushFTP servers exposed to ongoing hijack attacks

Over 1,000 CrushFTP instances currently exposed online are vulnerable to hijack attacks that exploit a critical security bug, providing admin access to the web interface. The security vulnerability (C ... Read more

Published Date: Jul 21, 2025 (1 month, 1 week ago)
  • The Cyber Express
CrushFTP Servers Hit by Critical Zero-Day Vulnerability CVE-2025-54309

A new zero-day vulnerability in CrushFTP file transfer servers is being actively exploited by cybercriminals, compromising systems around the world. Tracked as CVE-2025-54309, the CrushFTP zero-day vu ... Read more

Published Date: Jul 21, 2025 (1 month, 1 week ago)
  • security.nl
CrushFTP meldt actief misbruik van kritiek beveiligingslek

De makers van ftp-serversoftware CrushFTP waarschuwen voor actief misbruik van een kritieke kwetsbaarheid waardoor aanvallers op afstand toegang tot kwetsbare servers kunnen krijgen. Misbruik is sinds ... Read more

Published Date: Jul 21, 2025 (1 month, 1 week ago)
  • CybersecurityNews
Weekly Cybersecurity Newsletter: Chrome 0-Day, VMware Flaws Patched, Fortiweb Hack, Teams Abuse, and More

It’s been a busy seven days for security alerts. Google is addressing another actively exploited zero-day in Chrome, and VMware has rolled out key patches for its own set of vulnerabilities. We’ll als ... Read more

Published Date: Jul 20, 2025 (1 month, 1 week ago)
  • The Hacker News
Hackers Exploit Critical CrushFTP Flaw to Gain Admin Access on Unpatched Servers

Jul 20, 2025Ravie LakshmananVulnerability / Threat Intelligence A newly disclosed critical security flaw in CrushFTP has come under active exploitation in the wild. Assigned the CVE identifier CVE-2 ... Read more

Published Date: Jul 20, 2025 (1 month, 1 week ago)
  • CybersecurityNews
New CrushFTP 0-Day Vulnerability Exploited in the Wild to Gain Access to Servers

A critical zero-day flaw in the CrushFTP managed file-transfer platform was confirmed after vendor and threat-intelligence sources confirmed active exploitation beginning on 18 July 2025 at 09:00 CST. ... Read more

Published Date: Jul 19, 2025 (1 month, 1 week ago)
  • Daily CyberSecurity
FortiWeb SQL Injection (CVE-2025-25257) Added to CISA KEV After Active Exploitation, PoC Available!

A critical SQL injection vulnerability in Fortinet FortiWeb, tracked as CVE-2025-25257, has been added to the CISA Known Exploited Vulnerabilities (KEV) Catalog following confirmation of active exploi ... Read more

Published Date: Jul 19, 2025 (1 month, 1 week ago)

The following table lists the changes that have been made to the CVE-2025-54309 vulnerability over time.

Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.

  • Initial Analysis by [email protected]

    Jul. 23, 2025

    Action Type Old Value New Value
    Added CVSS V3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    Added CPE Configuration OR *cpe:2.3:a:crushftp:crushftp:*:*:*:*:*:*:*:* versions from (including) 10.0.0 up to (excluding) 10.8.5 *cpe:2.3:a:crushftp:crushftp:*:*:*:*:*:*:*:* versions from (including) 11.0.0 up to (excluding) 11.3.4_23
    Added Reference Type MITRE: https://www.bleepingcomputer.com/news/security/crushftp-zero-day-exploited-in-attacks-to-gain-admin-access-on-servers/ Types: Press/Media Coverage
    Added Reference Type MITRE: https://www.crushftp.com/crush11wiki/Wiki.jsp?page=CompromiseJuly2025 Types: Third Party Advisory
    Added Reference Type MITRE: https://www.rapid7.com/blog/post/crushftp-zero-day-exploited-in-the-wild/ Types: Press/Media Coverage
  • CVE CISA KEV Update by 9119a7d8-5eab-497f-8521-727c672e3725

    Jul. 23, 2025

    Action Type Old Value New Value
    Added Vulnerability Name CrushFTP Unprotected Alternate Channel Vulnerability
    Added Date Added 2025-07-22
    Added Due Date 2025-08-12
    Added Required Action Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
  • CVE Modified by [email protected]

    Jul. 19, 2025

    Action Type Old Value New Value
    Added Reference https://www.bleepingcomputer.com/news/security/crushftp-zero-day-exploited-in-attacks-to-gain-admin-access-on-servers/
    Added Reference https://www.rapid7.com/blog/post/crushftp-zero-day-exploited-in-the-wild/
  • New CVE Received by [email protected]

    Jul. 18, 2025

    Action Type Old Value New Value
    Added Description CrushFTP 10 before 10.8.5 and 11 before 11.3.4_23, when the DMZ proxy feature is not used, mishandles AS2 validation and consequently allows remote attackers to obtain admin access via HTTPS, as exploited in the wild in July 2025.
    Added CVSS V3.1 AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
    Added CWE CWE-420
    Added Reference https://www.crushftp.com/crush11wiki/Wiki.jsp?page=CompromiseJuly2025
EPSS is a daily estimate of the probability of exploitation activity being observed over the next 30 days. Following chart shows the EPSS score history of the vulnerability.
Vulnerability Scoring Details
Base CVSS Score: 9.8
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact