CVE-2025-54309 Overview
CrushFTP 10 before 10.8.5 and 11 before 11.3.4_23, when the DMZ proxy feature is not used, mishandles AS2 validation and consequently allows remote attackers to obtain admin access via HTTPS, as exploited in the wild in July 2025.
Critical Impact
This vulnerability can lead to unauthorized administrative access, severely compromising server integrity and exposing sensitive data.
Affected Products
- CrushFTP 10 before 10.8.5
- CrushFTP 11 before 11.3.4_23
Discovery Timeline
- Unknown - Vulnerability discovered
- Unknown - Responsible disclosure to crushftp
- Unknown - CVE CVE-2025-54309 assigned
- Unknown - crushftp releases security patch
- 2025-07-18T19:15:25.353 - CVE CVE-2025-54309 published to NVD
- 2025-11-05T19:25:42.887 - Last updated in NVD database
Technical Details for CVE-2025-54309
Vulnerability Analysis
This vulnerability arises from improper handling of AS2 validation processes, where inadequate input validation allows attackers to subvert access controls. Exploiting this flaw can potentially grant attackers full administrative access to CrushFTP servers.
Root Cause
The root cause of this vulnerability is the mishandling of input validation in the AS2 protocol used by CrushFTP, enabling unauthorized command execution.
Attack Vector
The attack is executed over the network through HTTPS requests, specifically targeting the AS2 validation logic.
# Example exploitation code (sanitized)
import requests
url = "https://vulnerable-server.com/admin"
headers = {
'Content-Type': 'application/https',
'Authorization': 'Bearer malicious-token'
}
response = requests.get(url, headers=headers)
print(response.text)
Detection Methods for CVE-2025-54309
Indicators of Compromise
- Unusual admin access attempts
- Unexpected configuration changes
- Logs indicating AS2 validation errors
Detection Strategies
Implement network traffic analysis to monitor for irregular HTTPS requests targeting the administrative interface. Use log analysis tools to detect AS2 protocol anomalies.
Monitoring Recommendations
Deploy network and host-level monitoring to identify unauthorized access attempts, and use intrusion detection systems to flag anomalies in admin authentication processes.
How to Mitigate CVE-2025-54309
Immediate Actions Required
- Disable vulnerable AS2 processing where possible
- Enforce multi-factor authentication for admin access
- Regularly review and audit server logs
Patch Information
Ensure all instances of CrushFTP are updated to versions 10.8.5 or 11.3.4_23 or later where the vulnerability has been patched.
Workarounds
If upgrading is not immediately possible, employ application-level firewalls to filter out unauthorized HTTPS requests and manually restrict access to sensitive administrative endpoints.
# Configuration example for firewall
iptables -A INPUT -p tcp --dport 443 -s trusted-ip-source -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
