Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2025-54309

CrushFTP 10 before 10.8.5 and 11 before 11.3.4_23, when the DMZ proxy feature is not used, mishandles AS2 validation and consequently allows remote attackers to obtain admin access via HTTPS, as exploited in the wild in July 2025.

Published

2025-07-18T19:15:25.353

Last Modified

2025-10-21T23:17:06.650

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 9.0 (CRITICAL)

Weaknesses

Type: Secondary
CWE-420

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	crushftp	crushftp	< 10.8.5	Yes
Application	crushftp	crushftp	< 11.3.4_23	Yes

References

https://www.bleepingcomputer.com/news/security/crushftp-zero-day-exploited-in-attacks-to-gain-admin-access-on-servers/ Press/Media Coverage ([email protected])
https://www.crushftp.com/crush11wiki/Wiki.jsp?page=CompromiseJuly2025 Vendor Advisory ([email protected])
https://www.rapid7.com/blog/post/crushftp-zero-day-exploited-in-the-wild/ Press/Media Coverage ([email protected])
https://www.vicarius.io/vsociety/posts/cve-2025-54309-detect-crushftp-vulnerability Third Party Advisory ([email protected])
https://www.vicarius.io/vsociety/posts/cve-2025-54309-mitigate-crushftp-vulnerability Third Party Advisory ([email protected])
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-54309 (134c704f-9b21-4f2e-91b3-4a467353bcc0)