CVE-2025-54309

None

Description

CrushFTP 10 before 10.8.5 and 11 before 11.3.4_23, when the DMZ proxy feature is not used, mishandles AS2 validation and consequently allows remote attackers to obtain admin access via HTTPS, as exploited in the wild in July 2025.

INFO

Published Date :

2025-07-18T00:00:00.000Z

Last Modified :

2025-10-21T22:45:21.853Z

Source :

mitre

AFFECTED PRODUCTS

The following products are affected by CVE-2025-54309 vulnerability.

Vendors	Products
Crushftp	Crushftp

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-54309.

URL	Resource
https://www.bleepingcomputer.com/news/security/crushftp-zero-day-exploited-in-attacks-to-gain-admin-access-on-servers/
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-54309
https://www.crushftp.com/crush11wiki/Wiki.jsp?page=CompromiseJuly2025
https://www.rapid7.com/blog/post/crushftp-zero-day-exploited-in-the-wild/
https://www.vicarius.io/vsociety/posts/cve-2025-54309-detect-crushftp-vulnerability
https://www.vicarius.io/vsociety/posts/cve-2025-54309-mitigate-crushftp-vulnerability

CVSS Vulnerability Scoring System

V3.1

Detailed values of each vector for above chart.

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality Impact

Integrity Impact

Availability Impact