CrushFTP has a critical vulnerability identified as CVE-2025-54309, which affects versions prior to 10.8.5 and 11.3.4_23. This vulnerability allows remote attackers to obtain admin access via HTTPS when the DMZ proxy feature is not utilized. Exploits have been reported in the wild since July 2025, leading to unauthorized access to sensitive administrative functions.
With a CVSS score of 9.0, this vulnerability is classified as critical, indicating a severe risk to organizations using affected versions of CrushFTP. The impact is substantial, as attackers may leverage this vulnerability to gain administrative privileges without requiring any user interaction. Organizations should prioritize patching immediately.
The urgency is underscored by the active exploitation observed, as attackers have successfully exploited this vulnerability in various environments. Organizations running vulnerable versions must take immediate action to mitigate potential risks and secure their systems against unauthorized access.
Given the critical nature of this vulnerability, it is crucial for security teams to assess their environments, identify any affected installations, and implement the necessary updates as soon as possible.
Vulnerability Details
The official description of CVE-2025-54309 states that 'CrushFTP 10 before 10.8.5 and 11 before 11.3.4_23, when the DMZ proxy feature is not used, mishandles AS2 validation and consequently allows remote attackers to obtain admin access via HTTPS.' This flaw has a CVSS score of 9, indicating critical severity.
The affected product is CrushFTP, and the vulnerability was published on July 18, 2025. The CWE classification for this vulnerability is CWE-420, indicating a potential weakness in the implementation of security controls.
Technical Analysis
The root cause of CVE-2025-54309 stems from a mishandling of AS2 validation by CrushFTP. This flaw allows attackers to exploit the administration interface of the application without any required privileges, as the DMZ proxy feature is not utilized in the affected versions.
The attack vector for this vulnerability is classified as NETWORK, meaning that an attacker can exploit the vulnerability remotely. The attack complexity is high, requiring specific conditions to be met, but no privileges are required for the attacker. Additionally, user interaction is not necessary, further increasing the risk.
The impact of this vulnerability is significant: it poses a high risk to confidentiality, integrity, and availability, which means that an attacker can compromise sensitive data, modify it, or disrupt service availability.
Risk & Impact Analysis
The real-world deployment risk associated with CVE-2025-54309 is substantial. Organizations using CrushFTP versions earlier than 10.8.5 and 11.3.4_23 are at risk of unauthorized access and administrative control being compromised. The potential blast radius is considerable, as attackers may exploit this vulnerability across multiple installations.
Given the critical nature of this vulnerability and its exploitation in the wild, organizations should address this in their priority patch cycle. The potential for data loss and service disruption necessitates immediate action.
Signal | Status |
|---|---|
Known Exploit | Yes |
Public PoC | Yes |
Actively Exploited | Yes |
Ransomware Use | No |
Affected Versions
The affected versions of CrushFTP include all versions prior to 10.8.5 and 11.3.4_23. Organizations using these versions should take immediate action to patch the vulnerability.
Mitigation & Remediation
To mitigate this vulnerability, organizations should upgrade to CrushFTP version 10.8.5 or 11.3.4_23 or later. If a patch is unavailable, organizations must follow vendor instructions for temporary workarounds and configure their systems accordingly. Regular monitoring and testing of the network can help identify any unauthorized access attempts.
For further assistance, organizations may consider engaging in penetration testing services to validate their security posture.
Detection Guidance
Organizations should monitor logs for unusual access patterns, especially around administrative functions. Behavioral anomalies, such as unexpected logins or changes to configuration settings, should be investigated promptly. Implementing network signatures can also aid in detecting potential exploitation attempts.
AppSecure Threat Intelligence Insight
The long-term significance of CVE-2025-54309 lies in its demonstration of the risks associated with mishandled validation processes. This vulnerability highlights the importance of robust security controls and thorough testing before deploying software in production environments. Security teams should take this opportunity to review their security policies and incident response plans.
To enhance their security posture, organizations can implement a penetration testing methodology to continuously assess their systems for vulnerabilities.
Additionally, incorporating insights from threat intelligence reports can help organizations understand emerging trends and adjust their defenses accordingly. Following industry best practices, such as those outlined in the vulnerability management program, can further strengthen security measures.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
.webp)