AS2 Validation Misconfiguration in CrushFTP Affects Remote Admin Access
CVE-2025-54309
Key Information:
Badges
What is CVE-2025-54309?
CVE-2025-54309 is a vulnerability found in CrushFTP, a popular file transfer protocol server software used for secure file sharing and management. This vulnerability arises from a misconfiguration in the AS2 validation process when the DMZ proxy feature is not utilized. As a result, it exposes a critical weakness that enables remote attackers to gain unauthorized administrative access via HTTPS. This flaw can significantly compromise organizations relying on CrushFTP for secure file transfers, as it could lead to full control over the server, allowing malicious actors to manipulate files, exfiltrate sensitive data, or disrupt service operations.
Technical details indicate that this vulnerability affects specific versions of CrushFTP, namely versions 10 prior to 10.8.5 and 11 prior to 11.3.4_23. Organizations using these versions without proper configurations are particularly vulnerable, potentially facing dire consequences should the vulnerability be exploited.
Potential impact of CVE-2025-54309
-
Unauthorized Remote Access: Attackers can exploit this vulnerability to obtain administrative privileges, allowing them to control the server and access sensitive information, which could lead to data breaches and significant confidentiality loss.
-
System Compromise: With admin access, malicious actors can execute harmful actions, such as manipulating or deleting files and potentially deploying malware, disrupting business operations and leading to severe operational risks.
-
Reputational Damage and Financial Loss: Exploitation of this vulnerability can result in significant reputational harm to organizations, alongside potential financial losses due to fines, legal liabilities, and the costs associated with remediation and recovery efforts.
CISA has reported CVE-2025-54309
CISA provides regional cyber and physical services to support security and resilience across the United States. CISA monitor the most dangerious vulnerabilities and have identifed CVE-2025-54309 as being exploited but is not known by the CISA to be used in ransomware campaigns. This is subject to change at pace as recent news articles suggest the vulnerability is being used by ransomware groups.
The CISA's recommendation is: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Affected Version(s)
CrushFTP 10 < 10.8.5
CrushFTP 11 < 11.3.4_23
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
News Articles
Arctic WolfCVE-2025-54309CVE-2025-54309 | Arctic Wolf
On July 18, 2025, CrushFTP disclosed that a zero-day vulnerability—now tracked as CVE-2025-54309—had been exploited in the wild, likely for some time.
CISA (.gov)CISA Adds Four Known Exploited Vulnerabilities to Catalog | CISA
CISA has added four new vulnerabilities to its KEV Catalog, based on evidence of active exploitation
BornCityCVE-2025-54309CrushFTP with 0-day vulnerability CVE-2025-54309 | Born's Tech and Windows World
[German]Anyone from the my blog readers who uses the CrushFTP program for file transfer? In the meantime, several readers have reported (thanks for that) that there are reports of a 0-day vulnerability...
References
EPSS Score
37% chance of being exploited in the next 30 days.
CVSS V3.1
Timeline
- 📈
Vulnerability started trending
- 🟡
Public PoC available
- 🦅
CISA Reported
- 💰
Used in Ransomware
- 👾
Exploit known to exist
- 📰
First article discovered by BleepingComputer
Vulnerability published
Vulnerability Reserved