CVE-2025-54309

CRITICALCISA KEV

9.0

Beschreibung

CrushFTP 10 before 10.8.5 and 11 before 11.3.4_23, when the DMZ proxy feature is not used, mishandles AS2 validation and consequently allows remote attackers to obtain admin access via HTTPS, as exploited in the wild in July 2025.

CVE Details

CVSS v3.1 Bewertung9.0

SchweregradCRITICAL

CVSS VektorCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

AngriffsvektorNETWORK

KomplexitatHIGH

Erforderliche PrivilegienNONE

BenutzerinteraktionNONE

Veroffentlicht7/18/2025

Zuletzt geandert11/5/2025

Quellekev

Honeypot-Sichtungen0

CISA KEV

HerstellerCrushFTP

ProduktCrushFTP

Schwachstellenname CrushFTP Unprotected Alternate Channel Vulnerability

KEV Aufnahmedatum2025-07-22

Behebungsfrist2025-08-12

Ransomware-NutzungUnknown

Betroffene Produkte

crushftp:crushftp

Schwachen (CWE)

CWE-420

Referenzen

https://www.bleepingcomputer.com/news/security/crushftp-zero-day-exploited-in-attacks-to-gain-admin-access-on-servers/(cve@mitre.org)

https://www.crushftp.com/crush11wiki/Wiki.jsp?page=CompromiseJuly2025(cve@mitre.org)

https://www.rapid7.com/blog/post/crushftp-zero-day-exploited-in-the-wild/(cve@mitre.org)

https://www.vicarius.io/vsociety/posts/cve-2025-54309-detect-crushftp-vulnerability(cve@mitre.org)

https://www.vicarius.io/vsociety/posts/cve-2025-54309-mitigate-crushftp-vulnerability(cve@mitre.org)

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-54309(134c704f-9b21-4f2e-91b3-4a467353bcc0)

IOC Korrelationen

Keine Korrelationen erfasst

This product uses data from the NVD API but is not endorsed or certified by the NVD.