**Name of the Vulnerable Software and Affected Versions:**

CrushFTP versions prior to 10.8.5 and versions prior to 11.3.4 23

**Description:**

CrushFTP is affected by a zero-day vulnerability that allows remote attackers to obtain admin access via HTTPS when the DMZ proxy feature is not used. This issue is due to improper handling of AS2 validation. The vulnerability has been actively exploited in the wild since July 18, 2025. Approximately 291,903 devices running CrushFTP are estimated to be exposed. Compromised instances may lead to data theft and the installation of backdoors.

**Recommendations:**

CrushFTP versions prior to 10.8.5: Update to version 10.8.5 or later.

CrushFTP versions prior to 11.3.4 23: Update to version 11.3.4 23 or later.