**Name of the Vulnerable Software and Affected Versions:**

CrushFTP versions prior to 10.8.5 and versions prior to 11.3.4 23

**Description:**

CrushFTP is vulnerable to a critical flaw that allows remote attackers to obtain administrative access via HTTPS when the DMZ proxy feature is not used. This vulnerability arises from improper handling of AS2 validation. Active exploitation of this vulnerability has been observed since July 18, 2025, and it is estimated that over 1,000 servers remain vulnerable. Attackers have been observed hijacking the “crushadmin” account as a backdoor. The vulnerability has a CVSS score of 9.0 and is considered critical due to the potential for complete administrative access.

**Recommendations:**

CrushFTP versions prior to 10.8.5 should be updated.

CrushFTP versions prior to 11.3.4 23 should be updated.