CVE-2025-54309
Published: 18 July 2025
Summary
CVE-2025-54309 is a critical-severity Unprotected Alternate Channel (CWE-420) vulnerability in Crushftp Crushftp. Its CVSS base score is 9.0 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 1.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CrushFTP versions 10 prior to 10.8.5 and 11 prior to 11.3.4_23 are affected by CVE-2025-54309 when the DMZ proxy feature is disabled. The flaw stems from improper handling of AS2 validation, which permits unauthorized remote access over HTTPS and is tracked under CWE-420 with a CVSS 3.1 score of 9.0 reflecting high impact across confidentiality, integrity, and availability in a scoped context.
Remote attackers without authentication or user interaction can exploit the issue to obtain administrative privileges on the server. The vulnerability has already been leveraged in the wild during July 2025, enabling full administrative compromise of exposed CrushFTP instances that do not route traffic through the DMZ proxy.
Vendor guidance and third-party advisories direct administrators to upgrade immediately to the fixed releases and review the July 2025 compromise notice for indicators of prior access. The EPSS score reached a peak of 0.8284 with a current value of 0.7680, consistent with observed in-the-wild activity shortly after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-21909
Vulnerability details
CrushFTP 10 before 10.8.5 and 11 before 11.3.4_23, when the DMZ proxy feature is not used, mishandles AS2 validation and consequently allows remote attackers to obtain admin access via HTTPS, as exploited in the wild in July 2025.
- CWE(s)
- KEV Date Added
- 22 July 2025
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct remote unauthenticated admin access via public HTTPS interface on CrushFTP server due to AS2 validation flaw.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates the CVE by requiring timely flaw remediation through patching CrushFTP to versions 10.8.5 or 11.3.4_23, preventing AS2 validation exploitation.
Addresses the core mishandling of AS2 validation by enforcing comprehensive input validation to block unauthorized admin access via malformed inputs.
Enforces approved access authorizations, countering the vulnerability's bypass of validation to prevent remote attainment of admin privileges.