CVE Alert: CVE-2025-54309 – CrushFTP – CrushFTP
CVE-2025-54309
CrushFTP 10 before 10.8.5 and 11 before 11.3.4_23, when the DMZ proxy feature is not used, mishandles AS2 validation and consequently allows remote attackers to obtain admin access via HTTPS, as exploited in the wild in July 2025.
AI Summary Analysis
**Risk verdict**, one sentence: Critical risk with active exploitation in the wild; treat as priority 1 due to confirmed exploitation and high impact.
**Why this matters**, 2–3 sentences: An unauthenticated, network-accessible admin compromise enables full control of the server and potential data exfiltration or disruption across connected assets. With no user interaction required and a scope change in play, attackers can leverage this to pivot laterally and elevate privileges, amplifying business impact.
**Most likely attack path**, 2–3 sentences: The flaw allows remote admin access over HTTPS without credentials when the DMZ proxy feature is not enabled, requiring no user interaction and no privileges. It is a network-exposed, high-severity path that can impact resources beyond the initial host. Once admin access is achieved, attackers can disable protections, harvest data, or move laterally to adjacent systems.
**Who is most exposed**, 1–2 sentences: Organisations running internet-facing instances of the platform or those not enabling the DMZ proxy feature are most at risk; deployments with direct public administration endpoints are especially vulnerable.
**Detection ideas**, 3–5 short bullets:
- Unusual, successful HTTPS admin logins from external networks.
- Admin activity outside normal maintenance windows or from unexpected geographies.
- Sudden creation of new admin accounts or elevation of privileges.
- Repeated, rapid authentication attempts followed by successful access.
- Access to sensitive admin endpoints not aligned with normal change activity.
**Mitigation and prioritisation**, 3–5 short bullets:
- Patch to fixed versions immediately; treat as Priority 1 due to KEV/active exploitation.
- Enable DMZ proxy feature and reduce exposure of admin interfaces (disallow direct public access).
- Enforce MFA for all admin access; implement VPN/bastion access for administration.
- Apply strict network segmentation and access controls; monitor admin activity with SIEM alerts.
- Implement rapid patch management and change-control windows; verify remediation in staging before production rollout.
A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.
If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below
To keep up to date follow us on the below channels.
