CVE-2025-54309

Name of the Vulnerable Software and Affected Versions CrushFTP versions prior to 10.8.5 and 11.3.4 23

Description CrushFTP is affected by a critical vulnerability that allows remote attackers to gain administrative access via HTTPS when the DMZ proxy feature is not used. This is due to improper handling of AS2 validation. The vulnerability, identified as CVE-2025-54309, has a CVSS score of 9.0 and is actively being exploited in the wild. Attackers have been observed hijacking the “crushadmin” account as a backdoor. Over 1,000 instances of CrushFTP remain vulnerable. The vulnerability allows for unauthenticated remote code execution. The flaw was first detected on July 18, 2025, and a proof-of-concept exploit has been released. Approximately 291,903 devices are exposed, with the US, Germany, and Canada being the most affected countries.

Recommendations Update CrushFTP to version 10.8.5 12 or 11.3.4 26 or later.