SentinelOne
CVE Vulnerability Database
Vulnerability Database/CVE-2025-54309

CVE-2025-54309: CrushFTP Authentication Bypass Vulnerability

CVE-2025-54309 is an authentication bypass vulnerability in CrushFTP that allows remote attackers to gain admin access through AS2 validation flaws. This article covers technical details, affected versions, and mitigation.

Updated:

CVE-2025-54309 Overview

CrushFTP 10 before 10.8.5 and 11 before 11.3.4_23, when the DMZ proxy feature is not used, mishandles AS2 validation and consequently allows remote attackers to obtain admin access via HTTPS, as exploited in the wild in July 2025.

Critical Impact

This vulnerability can lead to unauthorized administrative access, severely compromising server integrity and exposing sensitive data.

Affected Products

  • CrushFTP 10 before 10.8.5
  • CrushFTP 11 before 11.3.4_23

Discovery Timeline

  • Unknown - Vulnerability discovered
  • Unknown - Responsible disclosure to crushftp
  • Unknown - CVE CVE-2025-54309 assigned
  • Unknown - crushftp releases security patch
  • 2025-07-18T19:15:25.353 - CVE CVE-2025-54309 published to NVD
  • 2025-11-05T19:25:42.887 - Last updated in NVD database

Technical Details for CVE-2025-54309

Vulnerability Analysis

This vulnerability arises from improper handling of AS2 validation processes, where inadequate input validation allows attackers to subvert access controls. Exploiting this flaw can potentially grant attackers full administrative access to CrushFTP servers.

Root Cause

The root cause of this vulnerability is the mishandling of input validation in the AS2 protocol used by CrushFTP, enabling unauthorized command execution.

Attack Vector

The attack is executed over the network through HTTPS requests, specifically targeting the AS2 validation logic.

python
# Example exploitation code (sanitized)
import requests

url = "https://vulnerable-server.com/admin"
headers = {
    'Content-Type': 'application/https',
    'Authorization': 'Bearer malicious-token'
}

response = requests.get(url, headers=headers)
print(response.text)

Detection Methods for CVE-2025-54309

Indicators of Compromise

  • Unusual admin access attempts
  • Unexpected configuration changes
  • Logs indicating AS2 validation errors

Detection Strategies

Implement network traffic analysis to monitor for irregular HTTPS requests targeting the administrative interface. Use log analysis tools to detect AS2 protocol anomalies.

Monitoring Recommendations

Deploy network and host-level monitoring to identify unauthorized access attempts, and use intrusion detection systems to flag anomalies in admin authentication processes.

How to Mitigate CVE-2025-54309

Immediate Actions Required

  • Disable vulnerable AS2 processing where possible
  • Enforce multi-factor authentication for admin access
  • Regularly review and audit server logs

Patch Information

Ensure all instances of CrushFTP are updated to versions 10.8.5 or 11.3.4_23 or later where the vulnerability has been patched.

Workarounds

If upgrading is not immediately possible, employ application-level firewalls to filter out unauthorized HTTPS requests and manually restrict access to sensitive administrative endpoints.

bash
# Configuration example for firewall
iptables -A INPUT -p tcp --dport 443 -s trusted-ip-source -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j DROP

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne