Home

Description

CrushFTP 10 before 10.8.5 and 11 before 11.3.4_23, when the DMZ proxy feature is not used, mishandles AS2 validation and consequently allows remote attackers to obtain admin access via HTTPS, as exploited in the wild in July 2025.

PUBLISHED Reserved 2025-07-18 | Published 2025-07-18 | Updated 2025-10-21 | Assigner mitre




CRITICAL: 9.0CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

CISA Known Exploited Vulnerability

Date added 2025-07-22 | Due date 2025-08-12

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Problem types

CWE-420 Unprotected Alternate Channel

Product status

Default status
unaffected

10 (custom) before 10.8.5
affected

11 (custom) before 11.3.4_23
affected

References

www.cisa.gov/...erabilities-catalog?field_cve=CVE-2025-54309 government-resource

www.crushftp.com/...h11wiki/Wiki.jsp?page=CompromiseJuly2025

www.rapid7.com/...t/crushftp-zero-day-exploited-in-the-wild/

www.bleepingcomputer.com/...to-gain-admin-access-on-servers/

www.vicarius.io/...-2025-54309-detect-crushftp-vulnerability

www.vicarius.io/...025-54309-mitigate-crushftp-vulnerability

cve.org (CVE-2025-54309)

nvd.nist.gov (CVE-2025-54309)

Download JSON