CVE-2025-54309

CriticalCISA KEVActive Exploitation

Published: 18 July 2025

Published

18 July 2025

Modified

05 November 2025

KEV Added

22 July 2025

Patch

—

CVSS Score 9.0 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

EPSS Score 0.7776 99.0th percentile

Risk Priority 85 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-54309 is a critical-severity Unprotected Alternate Channel (CWE-420) vulnerability in Crushftp Crushftp. Its CVSS base score is 9.0 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 1.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mitigates the CVE by requiring timely flaw remediation through patching CrushFTP to versions 10.8.5 or 11.3.4_23, preventing AS2 validation exploitation.

SI-10 Information Input Validation good match

prevent

Addresses the core mishandling of AS2 validation by enforcing comprehensive input validation to block unauthorized admin access via malformed inputs.

AC-3 Access Enforcement partial match

prevent

Enforces approved access authorizations, countering the vulnerability's bypass of validation to prevent remote attainment of admin privileges.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

Direct remote unauthenticated admin access via public HTTPS interface on CrushFTP server due to AS2 validation flaw.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

CrushFTP 10 before 10.8.5 and 11 before 11.3.4_23, when the DMZ proxy feature is not used, mishandles AS2 validation and consequently allows remote attackers to obtain admin access via HTTPS, as exploited in the wild in July 2025.

Deeper analysisAI

CVE-2025-54309 is a critical vulnerability in CrushFTP versions 10 before 10.8.5 and 11 before 11.3.4_23, specifically when the DMZ proxy feature is not used. It arises from mishandling of AS2 validation, which allows remote attackers to obtain administrative access via HTTPS connections. The issue is classified under CWE-420 and carries a CVSS v3.1 base score of 9.0 (AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H), indicating high severity due to its potential for complete confidentiality, integrity, and availability impact with a changed scope.

Remote attackers with network access can exploit this vulnerability without authentication or user interaction, though it requires high attack complexity. Successful exploitation grants full administrative privileges on the affected CrushFTP server, enabling arbitrary control over the system.

Vendor and third-party advisories recommend immediate mitigation by upgrading to CrushFTP 10.8.5 or 11.3.4_23. The CrushFTP wiki page on the July 2025 compromise details the issue and patching instructions, while Vicarius provides specific guidance on detection and mitigation, and Rapid7 covers exploitation details.

This zero-day has been actively exploited in the wild during July 2025, as confirmed in the CVE description and reported by sources including BleepingComputer.

Details

CWE(s): CWE-420
KEV Date Added: 22 July 2025

Affected Products

crushftp

10.0.0 — 10.8.5 · 11.0.0 — 11.3.4_23

CVEs Like This One

CVE-2025-10035Same product class: managed file transferboth on KEV

CVE-2026-4670Same product class: managed file transfer

CVE-2026-1264Same product class: managed file transfer

CVE-2025-13447Same product class: managed file transfer

CVE-2025-11235Same product class: managed file transfer

CVE-2025-67303Shared CWE-420

CVE-2025-13444Same product class: managed file transfer

CVE-2025-14031Same product class: managed file transfer

CVE-2025-36368Same product class: managed file transfer

CVE-2026-23636Same product class: managed file transfer

References

https://www.bleepingcomputer.com/news/security/crushftp-zero-day-exploited-in-attacks-to-gain-admin-access-on-servers/
Press/Media Coverage · cve@mitre.org
https://www.crushftp.com/crush11wiki/Wiki.jsp?page=CompromiseJuly2025
Vendor Advisory · cve@mitre.org
https://www.rapid7.com/blog/post/crushftp-zero-day-exploited-in-the-wild/
Press/Media Coverage · cve@mitre.org
https://www.vicarius.io/vsociety/posts/cve-2025-54309-detect-crushftp-vulnerability
Third Party Advisory · cve@mitre.org
https://www.vicarius.io/vsociety/posts/cve-2025-54309-mitigate-crushftp-vulnerability
Third Party Advisory · cve@mitre.org
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-54309
US Government Resource · 134c704f-9b21-4f2e-91b3-4a467353bcc0