CVE-2025-54309

Name of the Vulnerable Software and Affected Versions CrushFTP versions prior to 10.8.5 and 11.3.4 23

Description CrushFTP is affected by a critical vulnerability (CVE-2025-54309) that allows remote attackers to gain administrative access via HTTPS when the DMZ proxy feature is not used. This is due to improper handling of AS2 validation. Active exploitation of this vulnerability has been observed in the wild since July 18, 2025, with reports indicating attackers are hijacking the “crushadmin” account for backdoor access. Approximately 55,000 devices are still exposed. The vulnerability has a CVSS score of 9.0 and is considered critical. Attackers are exploiting this flaw to gain complete administrative access, potentially leading to data theft and the installation of backdoors. Over 1,000 instances remain vulnerable. The vulnerability allows unauthenticated remote code execution.

Recommendations CrushFTP versions prior to 10.8.5 must be updated. CrushFTP versions prior to 11.3.4 23 must be updated.