cbcvebase.
CVE-2025-54309
published 2025-07-18

CVE-2025-54309: CrushFTP 10 before 10.8.5 and 11 before 11.3.4_23, when the DMZ proxy feature is not used, mishandles AS2 validation and consequently allows remote attackers…

PriorityP198critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2025-08-12
Exploited in the wild
EPSS
92.03%
99.8th percentile
CrushFTP 10 before 10.8.5 and 11 before 11.3.4_23, when the DMZ proxy feature is not used, mishandles AS2 validation and consequently allows remote attackers to obtain admin access via HTTPS, as exploited in the wild in July 2025.

Affected

4 ranges
VendorProductVersion rangeFixed in
crushftpcrushftp>= 10 < 10.8.510.8.5
crushftpcrushftp>= 10.0.0 < 10.8.510.8.5
crushftpcrushftp>= 11 < 11.3.4_2311.3.4_23
crushftpcrushftp>= 11.0.0 < 11.3.4_2311.3.4_23

Detection & IOCsextracted from sources · hover to see the quote

url/WebInterface/function/
otherAS2-TO: \crushadmin
otherContent-Type: disposition-notification
cookieCrushAuth=<timestamp>_<token><c2f>; currentAuth=<c2f>
otherusername: 7a0d26089ac528941bf8cb998d97f408m
commandcommand=getUserList&serverGroup=MainUsers
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS CrushFTP WebInterface Alternative Channel Authentication Bypass (CVE-2025-54309) M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/WebInterface/function/"; fast_pattern; content:"command|3d|login"; http.header; to_lowercase; content:"as2-to"; pcre:"/^[^\x0d\x0a]*?\x5ccrushadmin/R"; reference:url,reliaquest.com/blog/threat-spotlight-cve-2025-54309-crushftp-exploit/; reference:cve,2025-54309; classtype:attempted-admin; sid:2064044; rev:1; metadata:affected_product CrushFTP, attack_target Server, tls_state TLSDecrypt, created_at 2025_08_19, cve CVE_2025_54309, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Exploit, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2025_08_19, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
  • Look for HTTP POST requests to /WebInterface/function/ containing the AS2-TO header with value \crushadmin and Content-Type of disposition-notification — this is the core exploit request pattern.
  • The exploit is a race condition: two concurrent POST requests are sent to /WebInterface/function/ — one with AS2-TO/disposition-notification headers and one without — to win a timing window that grants admin access.
  • A successful exploit response contains the XML pattern <user_list_subitem> with usernames — monitor for this pattern in HTTP responses from CrushFTP.
  • Check CrushFTP user accounts for new, unrecognized admin-level usernames and review the last_logins field for anomalous entries as primary IOCs of compromise.
  • Use Shodan/FOFA/ZoomEye queries to identify exposed CrushFTP instances: http.title:"crushftp", http.favicon.hash:-1022206565, icon_hash="-1022206565", title="crushftp".
  • Review upload and download logs for unusual activity as recommended by CrushFTP as part of post-compromise investigation.
  • ·The Emerging Threats Snort rule (sid:2064044) requires TLS decryption (tls_state TLSDecrypt) to fire, as the exploit travels over HTTPS — passive inspection without TLS decryption will miss this.
  • ·CrushFTP advises restoring the default user configuration from a backup dated before July 16th if compromise is suspected.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.0CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.