A critical vulnerability in CrushFTP, tracked as CVE-2025-54309, is being actively exploited in the wild, posing a significant threat to organizations using the affected versions of the software. This flaw, which has been assigned a CVSS score of 9.8, allows remote attackers to gain administrative access via HTTPS when the DMZ proxy feature is not utilized. The vulnerability affects CrushFTP versions 10 before 10.8.5 and 11 before 11.3.4_23.
The vulnerability, published on July 18, 2025, has been added to the Known Exploited Vulnerabilities (KEV) catalog as of July 22, 2025, indicating its active exploitation status. The Exploit Prediction Scoring System (EPSS) rates this vulnerability at 0.778, highlighting the high likelihood of exploitation. Furthermore, the time to exploit in the wild was remarkably short, with attackers taking advantage of the flaw within just four days of its disclosure.
The core issue lies in the mishandling of AS2 validation by CrushFTP, which can be exploited by attackers to bypass authentication mechanisms and obtain unauthorized administrative access. This vulnerability is classified under CWE-420, which pertains to improper restriction of excessive authentication attempts. The availability of at least seven proof-of-concept (PoC) exploits has further exacerbated the situation, making it easier for attackers to leverage this flaw.
Organizations using CrushFTP are urged to assess their exposure to this vulnerability immediately. The presence of PoC exploits in the public domain significantly lowers the barrier for potential attackers, increasing the urgency for patching. The vendor has released updates to address this vulnerability, and users are strongly advised to upgrade to CrushFTP 10.8.5 or 11.3.4_23 to mitigate the risk.
Security teams should prioritize this vulnerability in their patch management processes, given its critical severity and active exploitation status. Monitoring for unusual administrative access attempts and reviewing logs for signs of exploitation can help in detecting potential breaches. Additionally, enabling the DMZ proxy feature, if not already in use, can provide an additional layer of protection against this type of attack.
In summary, CVE-2025-54309 represents a significant threat to organizations using vulnerable versions of CrushFTP. With active exploitation confirmed and multiple PoC exploits available, immediate action is required to secure affected systems. Organizations should apply the necessary patches without delay and implement additional security measures to safeguard against unauthorized access.
CSURFACE