CrushFTP - Authentication Bypass (CVE-2025-54309)

CVE-2025-54309 is a critical vulnerability in CrushFTP versions 10 before 10.8.5 and 11 before 11.3.4_23 that improperly handles AS2 validation when the DMZ proxy feature is disabled. This flaw allows remote attackers to gain administrative access over HTTPS, and has been actively exploited in the wild as of July 2025. Attackers leveraging this vulnerability could fully compromise affected servers, leading to unauthorized data access and control.

CrowdSec has been tracking this vulnerability and its exploits since 13th of August 2025.

CrowdSec network data shows that most actors exploiting CVE-2025-54309 rely on broad, untargeted scans with minimal filtering. The activity is largely automated and opportunistic in nature. Additionally, according to week-over-week analysis by CrowdSec, exploitation of CVE-2025-54309 is surging. Attack volumes are spiking well above historical norms, indicating widespread and escalating interest from threat actors. CVE-2025-54309 is currently experiencing high visibility and active exploitation across the internet.

Attackers exploit unauthenticated endpoints such as /WebInterface/function/, /WebInterface/login/, and /WebInterface/json/ on CrushFTP servers to execute arbitrary commands or upload files, often by sending specially crafted XML, JSON, or form data payloads. These exploitation attempts typically target the system.exec or file.write methods to achieve remote code execution or unauthorized file manipulation.