CVE-2025-54309

Critical KEV CVSS: 9.0

CrushFTP 10 before 10.8.5 and 11 before 11.3.4_23, when the DMZ proxy feature is not used, mishandles AS2 validation and consequently allows remote attackers to obtain admin access via HTTPS, as exploited in the wild in July 2025.

Vendor

Crushftp

Product

Crushftp

CWE

CWE-420

Yayın Tarihi

2025-07-18 19:15:25

Güncelleme

2025-11-05 19:25:42

Source Identifier

cve@mitre.org

KEV Date Added

2025-07-22

Kategoriler

CWE-420 Crushftp CRITICAL Crushftp 2025

Referanslar

https://www.bleepingcomputer.com/news/security/crushftp-zero-day-exploited-in-attacks-to-gain-admin-access-on-servers/ https://www.crushftp.com/crush11wiki/Wiki.jsp?page=CompromiseJuly2025 https://www.rapid7.com/blog/post/crushftp-zero-day-exploited-in-the-wild/ https://www.vicarius.io/vsociety/posts/cve-2025-54309-detect-crushftp-vulnerability https://www.vicarius.io/vsociety/posts/cve-2025-54309-mitigate-crushftp-vulnerability https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-54309

Benzer Kayıtlar

Medium

CVE-2025-63419

Cross Site Scripting (XSS) vulnerability in CrushFTP 11.3.6_48. The Web-Based Server has a feature where users can share…

Medium

CVE-2025-63420

CrushFTP11 before 11.3.7_57 is vulnerable to stored HTML injection in the CrushFTP Admin Panel (Reports / "Who Created F…

Medium

CVE-2025-32102

CrushFTP 9.x and 10.x through 10.8.4 and 11.x through 11.3.1 allows SSRF via the host and port parameters in a command=t…

Medium

CVE-2025-32103

CrushFTP 9.x and 10.x through 10.8.4 and 11.x through 11.3.1 allows directory traversal via the /WebInterface/function/…

Critical

CVE-2025-31161

CrushFTP 10 before 10.8.4 and 11 before 11.3.1 allows authentication bypass and takeover of the crushadmin account (unle…