Exploitation of CrushFTP Vulnerability CVE-2025-54309

Exploitation of this critical vulnerability could allow a remote attacker to obtain admin access via HTTPS

Threat ID:: CC-4684
Threat Severity:: Medium
Published:: 21 July 2025 3:47 PM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

Exploitation of this critical vulnerability could allow a remote attacker to obtain admin access via HTTPS

Affected platforms

The following platforms are known to be affected:

Versions: all prior to 11.3.4_23, all prior to 10.8.5

CrushFTP

Threat details

Exploitation of CVE-2025-54309

Exploitation of CVE-2025-54309 has been reported in the wild. The NHS England National CSOC assesses that continued exploitation of this vulnerability is likely.

Introduction

CrushFTP reports that a zero-day vulnerability exploit has been observed in the wild as early as 18 July 2025. CrushFTP, a proprietary multi-protocol multi-platform file transfer server, says that exploitation of CVE-2025-54309 could allow a remote attacker to obtain admin access via HTTPS. CVE-2025-54309 has a CVSSv3 score of 9.0 and is considered a critical vulnerability.

Note: The vulnerability is not exploitable if organisations have implemented the demilitarised zone (DMZ) function of CrushFTP.

Remediation advice

Affected organisations are encouraged to review the latest CrushFTP release notes and apply the relevant security update.

Note: In the notification CompromiseJuly2025, CrushFTP goes into more detail about indicators of compromise, advice for those who suspect exploitation, and possible mitigation for future weaknesses.

Definitive source of threat updates

CVE Vulnerabilities

Status Published

CVE-2025-54309

CrushFTP 10 before 10.8.5 and 11 before 11.3.4_23, when the DMZ proxy feature is not used, mishandles AS2 validation and consequently allows remote attackers to obtain admin access via HTTPS, as exploited in the wild in July 2025.

Last edited: 21 July 2025 3:47 pm