Back to KEVs

CVE-2025-54309

CrushFTP 10 before 10.8.5 and 11 before 11.3.4_23, when the DMZ proxy feature is not used, mishandles AS2 validation and consequently allows remote...

Basic Information

CVE State
PUBLISHED
Reserved Date
July 18, 2025
Published Date
July 18, 2025
Last Updated
July 30, 2025
Vendor
CrushFTP
Product
CrushFTP
Description
CrushFTP 10 before 10.8.5 and 11 before 11.3.4_23, when the DMZ proxy feature is not used, mishandles AS2 validation and consequently allows remote attackers to obtain admin access via HTTPS, as exploited in the wild in July 2025.
Tags
cisa

CVSS Scores

CVSS v3.1

9.0 - CRITICAL

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

EPSS Score

Score
7.46% (Percentile: 91.37%) as of 2025-07-30

SSVC Information

Exploitation
active
Technical Impact
total

Exploit Status

Exploited in the Wild
Yes (2025-07-18 19:40:30 UTC) Source

References

https://www.crushftp.com/crush11wiki/Wiki.jsp?page=CompromiseJuly2025 https://www.rapid7.com/blog/post/crushftp-zero-day-exploited-in-the-wild/ https://www.bleepingcomputer.com/news/security/crushftp-zero-day-exploited-in-attacks-to-gain-admin-access-on-servers/

Known Exploited Vulnerability Information

Source Added Date
CVE 2025-07-18 19:40:23 UTC

Recent Mentions

Hackers Exploit Critical CrushFTP Flaw to Gain Admin Access on Unpatched Servers

Source: TheHackerNews • Published: 2025-07-20 07:35:00 UTC

A newly disclosed critical security flaw in CrushFTP has come under active exploitation in the wild. Assigned the CVE identifier CVE-2025-54309, the vulnerability carries a CVSS score of 9.0. "CrushFTP 10 before 10.8.5 and 11 before 11.3.4_23, when the DMZ proxy feature is not used, mishandles AS2 validation and consequently allows remote attackers to obtain admin access via HTTPS," according to

CrushFTP zero-day exploited in attacks to gain admin access on servers

Source: BleepingComputer • Published: 2025-07-18 22:24:29 UTC

CrushFTP is warning that threat actors are actively exploiting a zero-day vulnerability tracked as CVE-2025-54309, which allows attackers to gain administrative access via the web interface on vulnerable servers. [...]

New CrushFTP zero-day exploited in attacks to hijack servers

Source: BleepingComputer • Published: 2025-07-18 22:24:29 UTC

CrushFTP is warning that threat actors are actively exploiting a zero-day vulnerability tracked as CVE-2025-54309, which allows attackers to gain administrative access via the web interface on vulnerable servers. [...]

CVE-2025-54309: Critical Zero-Day Vulnerability in CrushFTP Exploited

Source: Arctic Wolf • Published: 2025-07-18 20:46:29 UTC

On July 18, 2025, CrushFTP disclosed that a zero-day vulnerability—now tracked as CVE-2025-54309—had been exploited in the wild, likely for some time. Threat actors reverse engineered the code, identified a previously fixed bug (likely present in builds prior to early July), and exploited it in unpatched systems to gain remote access via HTTP(S). The bug ... CVE-2025-54309: Critical Zero-Day Vulnerability in CrushFTP Exploited

Timeline

  • CVE ID Reserved

  • CVE Published to Public

  • Added to KEVIntel