**Name of the Vulnerable Software and Affected Versions:**

CrushFTP versions prior to 10.8.5 and versions prior to 11.3.4 23

**Description:**

CrushFTP is vulnerable to a critical security flaw that allows remote attackers to gain administrative access via HTTPS when the DMZ proxy feature is not used. This vulnerability stems from improper handling of AS2 validation. Active exploitation of this flaw has been observed since July 18, 2025, and it is estimated that over 1,000 servers remain vulnerable. Attackers can exploit this vulnerability without authentication. Compromised instances of CrushFTP could lead to data theft, backdoor installation, and potential network infiltration.

**Recommendations:**

CrushFTP versions prior to 10.8.5 should be updated.

CrushFTP versions prior to 11.3.4 23 should be updated.