Unrated severityCISA KEVNVD Advisory· Published Jul 18, 2025· Updated Oct 21, 2025

CVE-2025-54309

Description

CrushFTP 10 before 10.8.5 and 11 before 11.3.4_23, when the DMZ proxy feature is not used, mishandles AS2 validation and consequently allows remote attackers to obtain admin access via HTTPS, as exploited in the wild in July 2025.

Affected products

CrushFTP/CrushFTPv5
Range: 10

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

www.bleepingcomputer.com/news/security/crushftp-zero-day-exploited-in-attacks-to-gain-admin-access-on-servers/mitre
www.crushftp.com/crush11wiki/Wiki.jspmitre
www.rapid7.com/blog/post/crushftp-zero-day-exploited-in-the-wild/mitre
www.vicarius.io/vsociety/posts/cve-2025-54309-detect-crushftp-vulnerabilitymitre
www.vicarius.io/vsociety/posts/cve-2025-54309-mitigate-crushftp-vulnerabilitymitre

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.066
exploit	0.000
kev	0.120
patch	0.000
ransomware	0.000