CVE-2025-54309

CRITICALCISA KEV

9.0

Description

CrushFTP 10 before 10.8.5 and 11 before 11.3.4_23, when the DMZ proxy feature is not used, mishandles AS2 validation and consequently allows remote attackers to obtain admin access via HTTPS, as exploited in the wild in July 2025.

CVE Details

CVSS v3.1 Score9.0

SeverityCRITICAL

CVSS VectorCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

Attack VectorNETWORK

ComplexityHIGH

Privileges RequiredNONE

User InteractionNONE

Published7/18/2025

Last Modified11/5/2025

Sourcekev

Honeypot Sightings0

CISA KEV

VendorCrushFTP

ProductCrushFTP

Vulnerability Name CrushFTP Unprotected Alternate Channel Vulnerability

KEV Date Added2025-07-22

Remediation Due Date2025-08-12

Ransomware UseUnknown

Affected Products

crushftp:crushftp

Weaknesses (CWE)

CWE-420

References

https://www.bleepingcomputer.com/news/security/crushftp-zero-day-exploited-in-attacks-to-gain-admin-access-on-servers/(cve@mitre.org)

https://www.crushftp.com/crush11wiki/Wiki.jsp?page=CompromiseJuly2025(cve@mitre.org)

https://www.rapid7.com/blog/post/crushftp-zero-day-exploited-in-the-wild/(cve@mitre.org)

https://www.vicarius.io/vsociety/posts/cve-2025-54309-detect-crushftp-vulnerability(cve@mitre.org)

https://www.vicarius.io/vsociety/posts/cve-2025-54309-mitigate-crushftp-vulnerability(cve@mitre.org)

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-54309(134c704f-9b21-4f2e-91b3-4a467353bcc0)

IOC Correlations

No correlations recorded

This product uses data from the NVD API but is not endorsed or certified by the NVD.