Unrated severityCISA KEVNVD Advisory· Published Jul 18, 2025· Updated Oct 21, 2025
CVE-2025-54309
CVE-2025-54309
Description
CrushFTP 10 before 10.8.5 and 11 before 11.3.4_23, when the DMZ proxy feature is not used, mishandles AS2 validation and consequently allows remote attackers to obtain admin access via HTTPS, as exploited in the wild in July 2025.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2Patches
Vulnerability mechanics
References
5- www.bleepingcomputer.com/news/security/crushftp-zero-day-exploited-in-attacks-to-gain-admin-access-on-servers/mitre
- www.crushftp.com/crush11wiki/Wiki.jspmitre
- www.rapid7.com/blog/post/crushftp-zero-day-exploited-in-the-wild/mitre
- www.vicarius.io/vsociety/posts/cve-2025-54309-detect-crushftp-vulnerabilitymitre
- www.vicarius.io/vsociety/posts/cve-2025-54309-mitigate-crushftp-vulnerabilitymitre
News mentions
0No linked articles in our index yet.