Go back to All Blog posts

CVE-2025-54309: Critical Admin Access Vulnerability in CrushFTP – What You Need to Know and Do

July 20, 2025

Summary CVE-2025-54309

A critical remote code execution vulnerability, CVE-2025-54309, has been identified in CrushFTP server, impacting versions prior to 10.8.5 and 11.3.4_23. This vulnerability exists when the DMZ proxy feature is not in use. It stems from improper validation in the AS2 (Applicability Statement 2) protocol over HTTPS, allowing unauthenticated remote attackers to gain administrative access to the system. The IONIX research team recommends immediate patching to versions 10.8.5_12 or 11.3.4_26, which contain the vendor-provided fix. Public exploitation activity has been confirmed, and CrushFTP instances exposed to the internet are considered high-risk targets.
IONIX customers will see updated information on their specific assets in the threat center of the IONIX portal.

With confirmed active exploitation in the wild, and broad exposure across enterprise environments, this CVE poses a high-impact risk and demands urgent patching.

Vulnerability Description: CVE-2025-54309

CVE ID: CVE-2025-54309
CVSS Score: 10.0 (Critical)
Affected Versions:

  • CrushFTP v10.x < 10.8.5_12
  • CrushFTP v11.x < 11.3.4_26

The vulnerability lies in CrushFTP’s implementation of AS2 over HTTPS, where the server fails to correctly validate remote requests made to AS2 endpoints. When the DMZ proxy is not used, an attacker can forge requests that the system interprets as coming from a trusted source – bypassing authentication checks entirely.

This allows the attacker to send administrative commands via the exposed AS2 interface and, depending on server configuration, escalate access to run arbitrary commands as root/system.

Exploitation Methods CVE-2025-54309

To exploit this vulnerability, an attacker:

  1. Identifies a target CrushFTP instance that:
    • Is accessible over HTTPS.
    • Has AS2 enabled.
    • Is not using the DMZ proxy feature.
  2. Crafts a malicious AS2 payload that impersonates a trusted system.
  3. Sends the payload over HTTPS to the exposed CrushFTP endpoint.
    • The payload mimics a legitimate AS2 request, but contains embedded administrative instructions.
  4. Due to improper validation, the server processes the request with elevated privileges.
  5. The attacker now has:
    • Full administrative access to the CrushFTP server.
    • Potential access to any files, credentials, or internal services connected via that server.
    • The ability to create new users, modify configurations, or trigger remote command execution.

Real-World Impact

This vulnerability is especially dangerous for the following reasons:

  • No authentication required: Remote attackers don’t need prior access.
  • CrushFTP is often public-facing: Making many instances directly reachable over the internet.
  • Active exploitation confirmed: Several reports indicate widespread scanning and compromise.

The potential outcomes include:

  • Data exfiltration from sensitive file shares.
  • Credential theft from stored server configurations.
  • Network lateral movement, using the CrushFTP instance as an entry point.
  • Supply chain compromise, if used in partner data transfers.
  • Regulatory non-compliance, especially under HIPAA, GDPR, or SOC2.

Mitigation Guidance

CrushFTP has released patched versions to address the issue. To mitigate:

✅ Immediate Fix

Upgrade to:

  • v10.8.5_12 (or newer)
  • v11.3.4_26 (or newer)

You can download patches here: https://www.crushftp.com/download.html

🛡️ Additional Recommendations

  1. Enable DMZ Proxy Mode
    If you cannot upgrade immediately, enabling the DMZ proxy feature will isolate the AS2 interface and block direct attacks. Configuration Example (prefs.XML): xmlCopyEdit<prefs> ... <dmz_mode>true</dmz_mode> ... </prefs>
  2. Restrict AS2 Exposure
    Block access to /as2 endpoints from untrusted networks using firewall rules or reverse proxies. NGINX Reverse Proxy Snippet: nginxCopyEditlocation /as2 { allow 192.168.0.0/16; # trusted internal range deny all; }
  3. Monitor Logs for Indicators of Compromise (IoC)
    • Look for unexpected AS2 POSTs or unknown user activity in logs/as2.log or logs/user_events.log.
  4. Implement Intrusion Detection Rules
    Add YARA/Snort rules to identify malicious AS2 requests targeting this flaw.
  5. Audit Server Users and Configurations
    After patching, validate that no unauthorized users, admin changes, or backdoors were added.

Sample Exploit Payload (For Research Purposes Only)

httpCopyEditPOST /as2 HTTP/1.1
Host: vulnerable-crushftp.example.com
Content-Type: application/pkcs7-mime; smime-type=enveloped-data

<base64-encoded malicious payload>

Within the payload:

  • Forged headers simulate trusted partner identifiers.
  • Embedded admin commands manipulate user roles and configs.

CVE-2025-54309 Timeline

  • July 8, 2025: Vulnerability reported to vendor.
  • July 12, 2025: Vendor releases patched versions.
  • July 15, 2025: Public disclosure of CVE-2025-54309.
  • July 18, 2025: Exploitation seen in the wild.

Am I Impacted by CVE-2025-54309?

You may be affected if:

  • You are running CrushFTP v10.x or v11.x prior to the patched versions.
  • Your AS2 endpoint is accessible over HTTPS.
  • You are not using the DMZ proxy feature.
  • IONIX customers can see real-time insights about vulnerable CrushFTP instances in their Threat Center dashboard.

References

WATCH A SHORT IONIX DEMO

See how easy it is to implement a CTEM program with IONIX. Find and fix exploits fast.

THE LATEST FROM IONIX

Marc Gaffan
November 6, 2025
Why External Exposure Management Must Be at the Core of Your Security Operations
Learn more
Marc Gaffan
November 3, 2025
Let’s be blunt, External Attack Surface Management has run its course
Learn more
Billy Hoffman
October 9, 2025
Exposed, Misconfigured and Forgotten: The Triple Threat of External Risk (and how to fix with Cloudflare and IONIX) 
Learn more