CrushFTP - Authentication Bypass (CVE-2025-54309)

CVE-2025-54309 is a critical vulnerability in CrushFTP versions 10 before 10.8.5 and 11 before 11.3.4_23 that improperly handles AS2 validation when the DMZ proxy feature is disabled. This flaw allows remote attackers to gain administrative access over HTTPS, and has been actively exploited in the wild as of July 2025. Attackers leveraging this vulnerability could fully compromise affected servers, leading to unauthorized data access and control.

CrowdSec has been tracking this vulnerability and its exploits since 13th of August 2025.

Insights from the CrowdSec network reveal that the attackers trying to exploit CVE-2025-54309 are composed of a fairly even mix of opportunistic and targeted actors. Some attackers employ preliminary reconnaissance, while others use indiscriminate scanning. Telemetry from the CrowdSec network also shows that exploitation activity for CVE-2025-54309 remains steady week-over-week. Attack volumes are consistent with long-term trends, indicating sustained interest from threat actors. CVE-2025-54309 continues to be an active part of the threat landscape and will likely remain this way for the forseeable future.

Attackers exploit unauthenticated endpoints such as /WebInterface/function/, /WebInterface/login/, and /WebInterface/json/ on CrushFTP servers to execute arbitrary commands or upload files, often by sending specially crafted XML, JSON, or form data payloads. These exploitation attempts typically target the system.exec or file.write methods to achieve remote code execution or unauthorized file manipulation.