CVE-2025-54309: 
CrushFTP vulnerability analysis and mitigation

CVE-2025-54309 is a critical vulnerability affecting CrushFTP versions 10 before 10.8.5 and 11 before 11.3.4_23. The vulnerability was discovered being actively exploited in the wild on July 18, 2025, though exploitation may have begun earlier. The flaw stems from mishandling of Applicability Statement 2 (AS2) validation when the DMZ proxy feature is not used, allowing remote attackers to obtain administrative access via HTTPS (CrushFTP Wiki, NVD).

The vulnerability has received a CVSS v3.1 base score of 9.8 (Critical) from NVD and 9.0 (Critical) from MITRE. The vulnerability is classified as CWE-420 (Unprotected Alternate Channel). The flaw originated from a rarely used feature related to AS2 in HTTP(S), which was inadvertently blocked by a previous fix targeting a different issue. Threat actors discovered the vulnerability by reverse engineering recent code changes (Rapid7, NVD).

Successful exploitation of CVE-2025-54309 allows attackers to gain administrative access to vulnerable CrushFTP servers. This access enables threat actors to create new administrator accounts, modify default configurations, maintain persistence, and potentially conduct data theft. According to Shadowserver Foundation, approximately 1,040 exposed and unpatched CrushFTP instances are vulnerable to this exploit, primarily located in the US, Europe, and Canada (HelpNet Security).

Organizations should immediately upgrade to CrushFTP versions 10.8.5 or 11.3.4_23 or later. Additional recommended mitigation steps include implementing IP whitelisting for server and admin access, enabling automatic updates, and reviewing upload/download logs for suspicious activity. For compromised systems, administrators should restore the default user configuration from backups predating July 16th. While using a DMZ instance was initially suggested as a mitigation strategy, security researchers advise against solely relying on this approach (Rapid7, CrushFTP Wiki).

The vulnerability has been added to CISA's Known Exploited Vulnerabilities Catalog, requiring federal agencies to apply vendor mitigations by August 12, 2025. CrushFTP CEO Ben Spink acknowledged that the vulnerability was discovered through reverse engineering of their code changes, emphasizing the importance of regular patching (NVD, Bleeping Computer).