CVE-2025-54309
CrushFTP 10 before 10.8.5 and 11 before 11.3.4_23, when the DMZ proxy feature is not used, mishandles AS2 validation and consequently allows remote...
Basic Information
- CVE State
- PUBLISHED
- Reserved Date
- July 18, 2025
- Published Date
- July 18, 2025
- Last Updated
- October 21, 2025
- Vendor
- CrushFTP
- Product
- CrushFTP
- Description
- CrushFTP 10 before 10.8.5 and 11 before 11.3.4_23, when the DMZ proxy feature is not used, mishandles AS2 validation and consequently allows remote attackers to obtain admin access via HTTPS, as exploited in the wild in July 2025.
- Tags
- Exploitation
- active
- Technical Impact
- total
- Exploited in the Wild
- Yes (2026-06-01 10:37:11 UTC) Source
cisa
CVSS Scores
CVSS v3.1
9.0 - CRITICAL
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
SSVC Information
Exploit Status
References
https://www.crushftp.com/crush11wiki/Wiki.jsp?page=CompromiseJuly2025
https://www.rapid7.com/blog/post/crushftp-zero-day-exploited-in-the-wild/
https://www.bleepingcomputer.com/news/security/crushftp-zero-day-exploited-in-attacks-to-gain-admin-access-on-servers/
https://www.vicarius.io/vsociety/posts/cve-2025-54309-detect-crushftp-vulnerability
https://www.vicarius.io/vsociety/posts/cve-2025-54309-mitigate-crushftp-vulnerability
Known Exploited Vulnerability Information
| Source | Added Date |
|---|---|
| CVE | 2026-06-01 10:37:11 UTC |
Timeline
-
CVE ID Reserved
-
CVE Published to Public
-
Added to KEVIntel