Ben Spink

**Name of the Vulnerable Software and Affected Versions** CrushFTP versions prior to 10.8.5 CrushFTP versions prior to 11.3.4 23 **Description** An authentication bypass issue exists in the web management interface of CrushFTP due to improper validation of the AS2 protocol (Applicability Statement 2, a specification for secure data transport). This flaw allows remote, unauthenticated attackers to obtain full administrative access via HTTPS, which can lead to arbitrary code execution with elevated privileges by changing the administrative user to a default user. The issue is specifically exploitable when the DMZ proxy feature is not utilized. It has been exploited in the wild since July 2025, with reports indicating over 1,000 to 55,000 exposed instances. Successful exploitation can result in the dumping of server credentials, including cleartext passwords, active session data, internal infrastructure endpoints, and full server logs containing session cookies. **Recommendations** Update CrushFTP 10 to version 10.8.5 12. Update CrushFTP 11 to version 11.3.4 26. As a temporary mitigation, enable the DMZ proxy feature to restrict the attack vector.