CVE-2025-54309

CRITICALCISA KEV

9.0

Description

CrushFTP 10 before 10.8.5 and 11 before 11.3.4_23, when the DMZ proxy feature is not used, mishandles AS2 validation and consequently allows remote attackers to obtain admin access via HTTPS, as exploited in the wild in July 2025.

Details CVE

Score CVSS v3.19.0

SeveriteCRITICAL

Vecteur CVSSCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

Vecteur d'attaqueNETWORK

ComplexiteHIGH

Privileges requisNONE

Interaction utilisateurNONE

Publie7/18/2025

Derniere modification11/5/2025

Sourcekev

Observations honeypot0

CISA KEV

FournisseurCrushFTP

ProduitCrushFTP

Nom vulnerabilite CrushFTP Unprotected Alternate Channel Vulnerability

Date ajout KEV2025-07-22

Date limite remediation2025-08-12

Utilise dans ransomwareUnknown

Produits affectes

crushftp:crushftp

Faiblesses (CWE)

CWE-420

References

https://www.bleepingcomputer.com/news/security/crushftp-zero-day-exploited-in-attacks-to-gain-admin-access-on-servers/(cve@mitre.org)

https://www.crushftp.com/crush11wiki/Wiki.jsp?page=CompromiseJuly2025(cve@mitre.org)

https://www.rapid7.com/blog/post/crushftp-zero-day-exploited-in-the-wild/(cve@mitre.org)

https://www.vicarius.io/vsociety/posts/cve-2025-54309-detect-crushftp-vulnerability(cve@mitre.org)

https://www.vicarius.io/vsociety/posts/cve-2025-54309-mitigate-crushftp-vulnerability(cve@mitre.org)

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-54309(134c704f-9b21-4f2e-91b3-4a467353bcc0)

Correlations IOC

Aucune correlation enregistree

This product uses data from the NVD API but is not endorsed or certified by the NVD.