CrushFTP - Authentication Bypass (CVE-2025-54309)

CVE-2025-54309 is a critical vulnerability in CrushFTP versions 10 before 10.8.5 and 11 before 11.3.4_23 that improperly handles AS2 validation when the DMZ proxy feature is disabled. This flaw allows remote attackers to gain administrative access over HTTPS, and has been actively exploited in the wild as of July 2025. Attackers leveraging this vulnerability could fully compromise affected servers, leading to unauthorized data access and control.

CrowdSec has been tracking this vulnerability and its exploits since 13th of August 2025.

According to CrowdSec data, while opportunistic exploitation dominates, a portion of threat actors trying to exploit CVE-2025-54309 apply basic targeting methods such as port or service detection. This indicates emerging patterns of selective targeting. CrowdSec network telemetry also shows that exploitation of CVE-2025-54309 has significantly declined over the past week. Attack volumes are well below the long-term average, suggesting attackers are rapidly losing interest. The vulnerability appears to be falling out of active use across most threat landscapes.

Attackers exploit unauthenticated endpoints such as /WebInterface/function/, /WebInterface/login/, and /WebInterface/json/ on CrushFTP servers to execute arbitrary commands or upload files, often by sending specially crafted XML, JSON, or form data payloads. These exploitation attempts typically target the system.exec or file.write methods to achieve remote code execution or unauthorized file manipulation.