Vulnerability detail
Enriched intelligence for a single CVE
Critical
CVE-2025-54309
PUBLISHEDCrushFTP 10 before 10.8.5 and 11 before 11.3.4_23, when the DMZ proxy feature is not used, mishandles AS2 validation and consequently allows remote...
1 day faster than CISA KEV
- Vendor
- CrushFTP
- Product
- CrushFTP
- Published
- Jul 18, 2025
- EPSS
- 76.8% · 99% pctl
Automate this intelligence with the Pro API
Everything on this page — CVSS, EPSS, exploit status, PoCs, scanner integrations, mentions, tags, and immediate honeypot data — is available programmatically for VM, SOC, and CTI workflows.
Description
CrushFTP 10 before 10.8.5 and 11 before 11.3.4_23, when the DMZ proxy feature is not used, mishandles AS2 validation and consequently allows remote attackers to obtain admin access via HTTPS, as exploited in the wild in July 2025.
Weaknesses (CWE)
-
Unprotected Alternate Channel
CVSS scores
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
Exploitation status
Exploited in the wild
Recorded 2026-06-01 10:37:11 UTC · CVE
References
- https://www.crushftp.com/crush11wiki/Wiki.jsp?page=CompromiseJuly2025
- https://www.rapid7.com/blog/post/crushftp-zero-day-exploited-in-the-wild/
- https://www.bleepingcomputer.com/news/security/crushftp-zero-day-exploited-in-attacks-to-gain-admin-access-on-servers/
- https://www.vicarius.io/vsociety/posts/cve-2025-54309-detect-crushftp-vulnerability
- https://www.vicarius.io/vsociety/posts/cve-2025-54309-mitigate-crushftp-vulnerability
Known exploited vulnerability sources
Catalogues that list this CVE as a known exploited vulnerability.
| Source | Added |
|---|---|
| CVE First | 2026-06-01 10:37 UTC |
| CISA | 2026-06-02 14:06 UTC |
Timeline
-
CVE ID Reserved
-
CVE Published to Public
-
Added to KEVIntel
-
KEV confirmed by CISA