🔴 CVE-2025-54309

Critical vulnerability in CrushFTP file transfer server allows remote attackers to obtain admin access via HTTPS through mishandled AS2 validation. Actively exploited in the wild with large numbers of internet-facing instances vulnerable.

← Back to Overview
HIGH_RISK
Risk Level
9.0
CVSS Score
NETWORK
Attack Vector
Initial Access
ATT&CK Tactic
T1190 — Exploit Public-Facing Application
ATT&CK Technique
VERY_HIGH
Deployment Risk
No
Ransomware

📋 Vulnerability Details

Data Source: CIRCL

Confidence: HIGH

Exploitation Method: DIRECT_NETWORK

CVE Published: 2025-07-18

Added to CISA KEV: 2025-07-22 4 DAYS BETWEEN CVE AND KEV

🎯 Recommendations:

🔍 Web Intelligence (Kagi · 2025-09-06)

Here's what is known about the CVE-2025-54309 vulnerability:

  • Affected Applications/Services: The vulnerability affects the CrushFTP managed file transfer software web interface [1].
  • Internet-Facing: A large number of exposed, internet-facing instances are vulnerable [2].
  • Active Exploitation: CVE-2025-54309 is under active exploitation in the wild [3][1]. ReliaQuest observed attempted exploitation of this zero-day vulnerability [4].
  • Attack Vectors/Exploitation Methods:
* Attackers can gain administrative control by sending crafted HTTP requests to internet-facing CrushFTP instances [3]. * To exploit this vulnerability, an attacker identifies a target CrushFTP instance [5].
  • Targeted Attacks: While not explicitly stated, the nature of the vulnerability allows unauthenticated attackers to gain administrative control, suggesting it could be used in targeted attacks.
  • CISA KEV Status: CISA has added CVE-2025-54309 to its Known Exploited Vulnerabilities (KEV) catalog [6].
  • Technical Details:
* CVE-2025-54309 is a critical vulnerability with a CVSS score of 9.0 [3][7]. * The vulnerability exists in CrushFTP versions 10 before 10.8.5 and 11 before 11.3.4_23 [3].

Sources

  1. CVE-2025-54309: Crush FTP Vulnerability Exploited in the Wild

    This vulnerability in the CrushFTP managed file transfer software web interface is being exploited in the wild.

  2. eSentire | CrushFTP Zero-Day Vulnerability CVE-2025-54309

    Given the large number of exposed, internet-facing vulnerable instances and ongoing exploitation of the CVE-2025-54309, organizations are strongly urged to ...

  3. Hackers Exploit Critical CrushFTP Flaw to Gain Admin Access on ...

    A newly disclosed critical security flaw in CrushFTP has come under active exploitation in the wild. Assigned the CVE identifier CVE-2025-54309, the vulnerability carries a CVSS score of 9.0. "CrushFTP 10 before 10.8.5 and 11 before 11.3.4_23, when the DMZ proxy feature is not...

  4. First Look at CVE-2025-54309: Dissecting the Latest CrushFTP Exploit

    ReliaQuest observed an attempted exploitation of CVE-2025-54309—a zero-day vulnerability in CrushFTP’s file transfer software.

  5. CVE-2025-54309: Critical Admin Access Vulnerability in... - IONIX

    Exploitation Methods CVE-2025-54309. To exploit this vulnerability, an attacker: Identifies a target CrushFTP instance that…

Generated by PatchNow Intelligence System

Analysis based on CIRCL.LU data, Claude AI assessment, and MITRE ATT&CK framework

📄 Download JSON Data | 📡 RSS Feed