Cyber Resilience

CVE-2025-54309

CriticalCISA KEVActive ExploitationEUVD Exploited

Published: 18 July 2025

Published
18 July 2025
Modified
05 November 2025
KEV Added
22 July 2025
Patch
CVSS Score v3.1 9.0 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.7680 99.0th percentile
Risk Priority 84 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-54309 is a critical-severity Unprotected Alternate Channel (CWE-420) vulnerability in Crushftp Crushftp. Its CVSS base score is 9.0 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 1.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CrushFTP versions 10 prior to 10.8.5 and 11 prior to 11.3.4_23 are affected by CVE-2025-54309 when the DMZ proxy feature is disabled. The flaw stems from improper handling of AS2 validation, which permits unauthorized remote access over HTTPS and is tracked under CWE-420 with a CVSS 3.1 score of 9.0 reflecting high impact across confidentiality, integrity, and availability in a scoped context.

Remote attackers without authentication or user interaction can exploit the issue to obtain administrative privileges on the server. The vulnerability has already been leveraged in the wild during July 2025, enabling full administrative compromise of exposed CrushFTP instances that do not route traffic through the DMZ proxy.

Vendor guidance and third-party advisories direct administrators to upgrade immediately to the fixed releases and review the July 2025 compromise notice for indicators of prior access. The EPSS score reached a peak of 0.8284 with a current value of 0.7680, consistent with observed in-the-wild activity shortly after disclosure.

EU & UK References

Vulnerability details

CrushFTP 10 before 10.8.5 and 11 before 11.3.4_23, when the DMZ proxy feature is not used, mishandles AS2 validation and consequently allows remote attackers to obtain admin access via HTTPS, as exploited in the wild in July 2025.

CWE(s)
KEV Date Added
22 July 2025

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Direct remote unauthenticated admin access via public HTTPS interface on CrushFTP server due to AS2 validation flaw.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-10035Same product class: managed file transferboth on KEV
CVE-2014-0160Same product class: managed file transferboth on KEV
CVE-2026-24782Same product class: managed file transfer
CVE-2023-0669Same product class: managed file transferboth on KEV
CVE-2023-34362Same product class: managed file transferboth on KEV
CVE-2026-4670Same product class: managed file transfer
CVE-2026-1264Same product class: managed file transfer
CVE-2026-28270Same product class: managed file transfer
CVE-2026-23636Same product class: managed file transfer
CVE-2025-11235Same product class: managed file transfer

Affected Assets

crushftp
crushftp
10.0.0 — 10.8.5 · 11.0.0 — 11.3.4_23

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the CVE by requiring timely flaw remediation through patching CrushFTP to versions 10.8.5 or 11.3.4_23, preventing AS2 validation exploitation.

prevent

Addresses the core mishandling of AS2 validation by enforcing comprehensive input validation to block unauthorized admin access via malformed inputs.

prevent

Enforces approved access authorizations, countering the vulnerability's bypass of validation to prevent remote attainment of admin privileges.

References