CVE-2025-54309

CRITICALCISA KEV

9.0

Descripcion

CrushFTP 10 before 10.8.5 and 11 before 11.3.4_23, when the DMZ proxy feature is not used, mishandles AS2 validation and consequently allows remote attackers to obtain admin access via HTTPS, as exploited in the wild in July 2025.

Detalles CVE

Puntuacion CVSS v3.19.0

SeveridadCRITICAL

Vector CVSSCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

Vector de ataqueNETWORK

ComplejidadHIGH

Privilegios requeridosNONE

Interaccion usuarioNONE

Publicado7/18/2025

Ultima modificacion11/5/2025

Fuentekev

Avistamientos honeypot0

CISA KEV

VendedorCrushFTP

ProductoCrushFTP

Nombre vulnerabilidad CrushFTP Unprotected Alternate Channel Vulnerability

Fecha inclusion KEV2025-07-22

Fecha limite remediacion2025-08-12

Uso en ransomwareUnknown

Productos afectados

crushftp:crushftp

Debilidades (CWE)

CWE-420

Referencias

https://www.bleepingcomputer.com/news/security/crushftp-zero-day-exploited-in-attacks-to-gain-admin-access-on-servers/(cve@mitre.org)

https://www.crushftp.com/crush11wiki/Wiki.jsp?page=CompromiseJuly2025(cve@mitre.org)

https://www.rapid7.com/blog/post/crushftp-zero-day-exploited-in-the-wild/(cve@mitre.org)

https://www.vicarius.io/vsociety/posts/cve-2025-54309-detect-crushftp-vulnerability(cve@mitre.org)

https://www.vicarius.io/vsociety/posts/cve-2025-54309-mitigate-crushftp-vulnerability(cve@mitre.org)

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-54309(134c704f-9b21-4f2e-91b3-4a467353bcc0)

Correlaciones IOC

Sin correlaciones registradas

This product uses data from the NVD API but is not endorsed or certified by the NVD.