CVE-2025-54309
描述: CrushFTP 10 before 10.8.5 and 11 before 11.3.4_23, when the DMZ proxy feature is not used, mishandles AS2 validation and consequently allows remote attackers to obtain admin access via HTTPS, as exploited in the wild in July 2025.
On Friday, July 18, 2025, managed file transfer vendor CrushFTP released information to a private mailing list on a new critical vulnerability, tracked as CVE-2025-54309, affecting versions below 10.8.5 and 11.3.4_23 across all platforms. According to the public-facing vendor advisory, this vulnerability in the CrushFTP managed file transfer software web interface is being exploited in the wild.
Although a public proof-of-concept exploit is not yet available, the details about exploitation in the wild shared by the vendor indicate a significantly impactful server-side vulnerability. Based on the provided IOCs, attackers are establishing administrator account control and leveraging clever tactics to preserve access; the vendor stated in the updated advisory that the threat actor exploiting CVE-2025-54309 is patching version number information to present the illusion of an up-to-date system, as well as backdooring the internal default account and assigning it high privileges.
I’ve designated ‘Attacker Value’ as ‘Very High’, since this is being leveraged in the wild to compromise administrator accounts of a highly-targeted file transfer product. I’ve designated ‘Exploitability’ to be ‘Very High’ as well, since it appears to be broadly applicable to vulnerable systems without the non-default DMZ proxy configuration in place. Based on the information about CVE-2025-54309 that’s been presented, defenders would be wise to prioritize patching it and configure automatic future updates for CrushFTP.