CVE-2025-54309
published 2025-07-18CVE-2025-54309: CrushFTP 10 before 10.8.5 and 11 before 11.3.4_23, when the DMZ proxy feature is not used, mishandles AS2 validation and consequently allows remote attackers…
PriorityP198critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2025-08-12
Exploited in the wild
EPSS
92.03%
99.8th percentile
CrushFTP 10 before 10.8.5 and 11 before 11.3.4_23, when the DMZ proxy feature is not used, mishandles AS2 validation and consequently allows remote attackers to obtain admin access via HTTPS, as exploited in the wild in July 2025.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| crushftp | crushftp | >= 10 < 10.8.5 | 10.8.5 |
| crushftp | crushftp | >= 10.0.0 < 10.8.5 | 10.8.5 |
| crushftp | crushftp | >= 11 < 11.3.4_23 | 11.3.4_23 |
| crushftp | crushftp | >= 11.0.0 < 11.3.4_23 | 11.3.4_23 |
Detection & IOCsextracted from sources · hover to see the quote
otherContent-Type: disposition-notification
cookieCrushAuth=<timestamp>_<token><c2f>; currentAuth=<c2f>
commandcommand=getUserList&serverGroup=MainUsers
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS CrushFTP WebInterface Alternative Channel Authentication Bypass (CVE-2025-54309) M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/WebInterface/function/"; fast_pattern; content:"command|3d|login"; http.header; to_lowercase; content:"as2-to"; pcre:"/^[^\x0d\x0a]*?\x5ccrushadmin/R"; reference:url,reliaquest.com/blog/threat-spotlight-cve-2025-54309-crushftp-exploit/; reference:cve,2025-54309; classtype:attempted-admin; sid:2064044; rev:1; metadata:affected_product CrushFTP, attack_target Server, tls_state TLSDecrypt, created_at 2025_08_19, cve CVE_2025_54309, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Exploit, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2025_08_19, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
- →Look for HTTP POST requests to /WebInterface/function/ containing the AS2-TO header with value \crushadmin and Content-Type of disposition-notification — this is the core exploit request pattern.
- →The exploit is a race condition: two concurrent POST requests are sent to /WebInterface/function/ — one with AS2-TO/disposition-notification headers and one without — to win a timing window that grants admin access.
- →A successful exploit response contains the XML pattern <user_list_subitem> with usernames — monitor for this pattern in HTTP responses from CrushFTP.
- →Check CrushFTP user accounts for new, unrecognized admin-level usernames and review the last_logins field for anomalous entries as primary IOCs of compromise. ↗
- →Use Shodan/FOFA/ZoomEye queries to identify exposed CrushFTP instances: http.title:"crushftp", http.favicon.hash:-1022206565, icon_hash="-1022206565", title="crushftp".
- →Review upload and download logs for unusual activity as recommended by CrushFTP as part of post-compromise investigation. ↗
- ·The Emerging Threats Snort rule (sid:2064044) requires TLS decryption (tls_state TLSDecrypt) to fire, as the exploit travels over HTTPS — passive inspection without TLS decryption will miss this.
- ·CrushFTP advises restoring the default user configuration from a backup dated before July 16th if compromise is suspected. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.0CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
CrushFTP Unprotected Alternate Channel Vulnerability
cisa·2025-07-22·CVSS 9.8
CVE-2025-54309 [CRITICAL] CWE-420 CrushFTP Unprotected Alternate Channel Vulnerability
Vulnerability: CrushFTP Unprotected Alternate Channel Vulnerability
Affected: CrushFTP CrushFTP
CrushFTP contains an unprotected alternate channel vulnerability. When the DMZ proxy feature is not used, mishandles AS2 validation and consequently allows remote attackers to obtain admin access via HTTPS.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Notes: https://www.crushftp.com/crush11wiki/Wiki.jsp?page=CompromiseJuly2025 ; https://nvd.nist.gov/vuln/detail/CVE-2025-54309
Remediation Due Date: 2025-08-12
GHSA
GHSA-rh5q-v9ww-rqgm: CrushFTP 10 before 10
ghsa_unreviewed·2025-07-18
CVE-2025-54309 [CRITICAL] CWE-420 GHSA-rh5q-v9ww-rqgm: CrushFTP 10 before 10
CrushFTP 10 before 10.8.5 and 11 before 11.3.4_23, when the DMZ proxy feature is not used, mishandles AS2 validation and consequently allows remote attackers to obtain admin access via HTTPS, as exploited in the wild in July 2025.
VulnCheck
CrushFTP Unprotected Alternate Channel Vulnerability
vulncheck·2025·CVSS 9.0
CVE-2025-54309 [CRITICAL] CWE-420 CrushFTP Unprotected Alternate Channel Vulnerability
CrushFTP Unprotected Alternate Channel Vulnerability
CrushFTP contains an unprotected alternate channel vulnerability. When the DMZ proxy feature is not used, mishandles AS2 validation and consequently allows remote attackers to obtain admin access via HTTPS.
Affected: CrushFTP CrushFTP
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://arcticwolf.com/resources/blog/cve-2025-54309-critical-zero-day-vulnerability-in-crushftp-exploited/; https://nvd.nist.gov/vuln/detail/CVE-2025-54309; https://www.crushftp.com/crush11wiki/Wiki.jsp?page=CompromiseJuly2025; https://www.rapid7.com/blog/post/crushftp-zero-day-exploited-in-the-wil
Suricata
ET WEB_SPECIFIC_APPS CrushFTP WebInterface Alternative Channel Authentication Bypass (CVE-2025-54309) M2
suricata·2025-08-19·CVSS 9.0
CVE-2025-54309 [CRITICAL] ET WEB_SPECIFIC_APPS CrushFTP WebInterface Alternative Channel Authentication Bypass (CVE-2025-54309) M2
ET WEB_SPECIFIC_APPS CrushFTP WebInterface Alternative Channel Authentication Bypass (CVE-2025-54309) M2
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS CrushFTP WebInterface Alternative Channel Authentication Bypass (CVE-2025-54309) M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/WebInterface/function/"; fast_pattern; content:"command|3d|login"; http.header; to_lowercase; content:"as2-to"; pcre:"/^[^\x0d\x0a]*?\x5ccrushadmin/R"; reference:url,reliaquest.com/blog/threat-spotlight-cve-2025-54309-crushftp-exploit/; reference:cve,2025-54309; classtype:attempted-admin; sid:2064044; rev:1; metadata:affected_product CrushFTP, attack_target Server, tls_state TLSDecrypt, created_at 2025_08_19, cve CVE_2025_54309, deployment Perimeter, deploym
Suricata
ET WEB_SPECIFIC_APPS CrushFTP WebInterface Alternative Channel Authentication Bypass (CVE-2025-54309) M1
suricata·2025-08-19·CVSS 9.0
CVE-2025-54309 [CRITICAL] ET WEB_SPECIFIC_APPS CrushFTP WebInterface Alternative Channel Authentication Bypass (CVE-2025-54309) M1
ET WEB_SPECIFIC_APPS CrushFTP WebInterface Alternative Channel Authentication Bypass (CVE-2025-54309) M1
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS CrushFTP WebInterface Alternative Channel Authentication Bypass (CVE-2025-54309) M1"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/WebInterface/function/"; fast_pattern; http.header; to_lowercase; content:"as2-to"; pcre:"/^[^\x0d\x0a]*?\x5ccrushadmin/R"; http.request_body; content:"command|3d|setUserItem"; reference:url,reliaquest.com/blog/threat-spotlight-cve-2025-54309-crushftp-exploit/; reference:cve,2025-54309; classtype:attempted-admin; sid:2064043; rev:2; metadata:affected_product CrushFTP, attack_target Server, tls_state TLSDecrypt, created_at 2025_08_19, cve CVE_2025_54309, depl
Nuclei
CrushFTP - Authentication Bypass Race Condition
nuclei·CVSS 9.8
CVE-2025-54309 [CRITICAL] CrushFTP - Authentication Bypass Race Condition
CrushFTP - Authentication Bypass Race Condition
CrushFTP 10 before 10.8.5 and 11 before 11.3.4_23, when the DMZ proxy feature is not used, mishandles AS2 validation and consequently allows remote attackers to obtain admin access via HTTPS, as exploited in the wild in July 2025.
Template:
id: CVE-2025-54309
info:
name: CrushFTP - Authentication Bypass Race Condition
author: pussycat0x,watchTowr,dhiyaneshdk
severity: critical
description: |
CrushFTP 10 before 10.8.5 and 11 before 11.3.4_23, when the DMZ proxy feature is not used, mishandles AS2 validation and consequently allows remote attackers to obtain admin access via HTTPS, as exploited in the wild in July 2025.
impact: |
Remote attackers can bypass authentication and access sensitive user data, potentially leading to unauthorized a
Bleepingcomputer
Over 1,000 CrushFTP servers exposed to ongoing hijack attacks
blogs_bleepingcomputer·2025-07-21·CVSS 9.0
CVE-2025-54309 [CRITICAL] Over 1,000 CrushFTP servers exposed to ongoing hijack attacks
## Over 1,000 CrushFTP servers exposed to ongoing hijack attacks
## Sergiu Gatlan
Over 1,000 CrushFTP instances currently exposed online are vulnerable to hijack attacks that exploit a critical security bug, providing admin access to the web interface.
The security vulnerability ( CVE-2025-54309 ) is due to mishandled AS2 validation and impacts all CrushFTP versions below 10.8.5 and 11.3.4_23. The vendor tagged the flaw as actively exploited in the wild on July 19th, noting that attacks may have begun earlier, although it has yet to find evidence to confirm this.
"July 18th, 9AM CST there is a 0-day exploit seen in the wild. Possibly it has been going on for longer, but we saw it then. Hackers apparently reverse engineered our code and found some bug which we had already fixed," reads
Tenable
CVE-2025-54309: CrushFTP Zero-Day Vulnerability Exploited In The Wild
blogs_tenable·2025-07-18·CVSS 9.0
[CRITICAL] CVE-2025-54309: CrushFTP Zero-Day Vulnerability Exploited In The Wild
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Bleepingcomputer
New CrushFTP zero-day exploited in attacks to hijack servers
blogs_bleepingcomputer·2025-07-18·CVSS 9.0
CVE-2025-54309 [CRITICAL] New CrushFTP zero-day exploited in attacks to hijack servers
## New CrushFTP zero-day exploited in attacks to hijack servers
## Lawrence Abrams
CrushFTP is warning that threat actors are actively exploiting a zero-day vulnerability tracked as CVE-2025-54309, which allows attackers to gain administrative access via the web interface on vulnerable servers.
CrushFTP is an enterprise file transfer server used by organizations to securely share and manage files over FTP, SFTP, HTTP/S, and other protocols.
According to CrushFTP, threat actors were first detected exploiting the vulnerability on July 18th at 9AM CST, though it may have begun in the early hours of the previous day.
CrushFTP CEO Ben Spink told BleepingComputer that they had previously fixed a vulnerability related to AS2 in HTTP(S) that inadvertantly blocked this zero-day flaw as well.
Greynoiseio
NoiseLetter August 2025
blogs_greynoiseio
NoiseLetter August 2025
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
https://www.bleepingcomputer.com/news/security/crushftp-zero-day-exploited-in-attacks-to-gain-admin-access-on-servers/https://www.crushftp.com/crush11wiki/Wiki.jsp?page=CompromiseJuly2025https://www.rapid7.com/blog/post/crushftp-zero-day-exploited-in-the-wild/https://www.vicarius.io/vsociety/posts/cve-2025-54309-detect-crushftp-vulnerabilityhttps://www.vicarius.io/vsociety/posts/cve-2025-54309-mitigate-crushftp-vulnerabilityhttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-54309
2025-07-18
Published
2025-07-22
Added to CISA KEV
Exploited in the wild