CVE-2025-54309
BaseFortify
Publication date: 2025-07-18
Last updated on: 2025-11-05
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| crushftp | crushftp | From 10.0.0 (inc) to 10.8.5 (exc) |
| crushftp | crushftp | From 11.0.0 (inc) to 11.3.4_23 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-420 | The product protects a primary channel, but it does not use the same level of protection for an alternate channel. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-54309 is a zero-day vulnerability in CrushFTP versions before 10.8.5 and 11 before 11.3.4_23 that mishandles AS2 validation when the DMZ proxy feature is not used. This flaw allows remote attackers to gain administrative access via HTTPS by exploiting a bug related to AS2 HTTP(S) handling. The vulnerability was actively exploited in the wild in July 2025, targeting servers that had not been updated to the latest patched versions. [1]
How can this vulnerability impact me? :
This vulnerability can allow remote attackers to obtain full administrative access to the affected CrushFTP server without authentication. This means attackers can control the server, potentially modify or delete data, create new admin users, and compromise the integrity and availability of the system. Indicators of compromise include unexpected changes to user files, creation of unknown admin users, and abnormal login records. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking for indicators of compromise such as recent modifications to the file MainUsers/default/user.XML, presence of an abnormal "last_logins" field, creation of long random user IDs with admin access, and unknown new admin users. To detect these, you can inspect the CrushFTP user folder for unexpected changes. For example, on a Linux system, you might use commands like `ls -lt /path/to/CrushFTP/backup/users/MainUsers/default/` to check recent file modifications, or `grep -i last_logins /path/to/CrushFTP/backup/users/MainUsers/default/user.XML` to look for the abnormal field. Additionally, reviewing logs for unusual HTTPS access patterns or new admin user creations can help identify exploitation attempts. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restoring the default user from backups made before the exploit, located in the CrushFTP folder under backup/users/MainUsers/default, using extraction tools like WinRAR or WinZip if needed. Alternatively, deleting the default user folder will cause CrushFTP to recreate it, though this will remove any customizations. Additionally, limit administrative access by IP whitelisting, deploy a DMZ CrushFTP instance if possible, and ensure frequent automatic patching to keep CrushFTP updated to versions 10.8.5 or later, or 11.3.4_23 or later. [1]