Summary
CVE-2025-54309 is a critical vulnerability in CrushFTP (versions before 10.8.5 and 11.3.4_23) caused by weak AS2 validation when the DMZ proxy is not used. Exploited in the wild since July 18, 2025, it allows attackers to gain full admin control over HTTPS, create accounts, change settings, and steal sensitive data. Thousands of servers are still exposed, and CISA has added it to the Known Exploited Vulnerabilities catalog. The flaw is fixed in versions 10.8.5_12 and 11.3.4_26, so urgent patching and log reviews are advised to avoid compromise.
Urgent Actions Required
- Upgrade CrushFTP to versions 10.8.5 or 11.3.4_23 (or later fixed builds 10.8.5_12 / 11.3.4_26) without delay.
- Restrict admin and server access using IP allowlists.
- Enable automatic updates to protect against future vulnerabilities.
- Check upload and download logs for suspicious activity.
- If a breach is suspected, restore default user settings from backups before July 16, 2025.
Which Systems Are Vulnerable to CVE-2025-54309?
Technical Overview
- Vulnerability Type: Improper AS2 validation leading to admin access
- Affected Software/Versions: CrushFTP versions before 10.8.5 and before 11.3.4_23 (when DMZ proxy is not used)
- Attack Vector: Network (HTTP/HTTPS)
- CVSS Score: 9.8
- CVSS Vector: CVSS:3.1
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
- Patch Availability: Yes, available
How Does the CVE-2025-54309 Exploit Work?
The attack typically follows these steps:
What Causes CVE-2025-54309?
Vulnerability Root Cause:
This flaw arises from incorrect handling of AS2 validation in CrushFTP. Without the DMZ proxy, the server misses security checks, letting attackers use crafted requests to gain admin access over HTTPS.
How Can You Mitigate CVE-2025-54309?
If immediate patching is delayed or not possible:
- Restrict exposure of CrushFTP instances to trusted networks only.
- Disable or limit external access wherever possible.
- Closely monitor logs for unusual HTTPS activity targeting AS2 validation.
- Apply strict access controls to reduce the risk of privilege escalation.
Will Patching CVE-2025-54309 Cause Downtime?
Patch application impact: Low. Updating to CrushFTP 10.8.5_12 or 11.3.4_26 addresses the flaw. The update process involves a standard server upgrade with minimal downtime. Regular deployments should not face significant disruption.
How Can You Detect CVE-2025-54309 Exploitation?
Exploitation Signatures:
Look for HTTPS requests exploiting AS2 validation flaws in CrushFTP. Malicious requests may attempt to bypass normal security checks when the DMZ proxy is not enabled.
MITRE ATT&CK Mapping:
- T1190 – Exploit Public-Facing Application
Indicators of Compromise (IOCs/IOAs):
- Unexpected administrator-level access to CrushFTP without valid credentials
- Suspicious activity on systems running vulnerable versions (prior to 10.8.5_12 and 11.3.4_26)
- Remote connections leveraging AS2 functionality where checks should normally apply
Behavioral Indicators:
- Admin sessions appearing without standard authentication
- Abnormal changes to server configuration or user management in CrushFTP logs
Alerting Strategy:
- Priority: Critical
- Trigger alerts for:
- Remote AS2 requests received when DMZ proxy is not enabled
- Unauthenticated admin access events
- Configuration or access changes outside expected user activity
Remediation & Response
Patch/Upgrade Instructions:
- Update to a fixed version of CrushFTP (10.8.5, 11.3.4_23, or later).
Mitigation Steps if No Patch:
Enable the DMZ proxy workaround if patching cannot be applied immediately.
Rollback Plan:
If issues occur after upgrading, revert to the previously stable CrushFTP version and keep the DMZ proxy workaround active until patching is re-applied.
Incident Response Considerations:
- Review server and proxy logs for suspicious activity.
- Collect evidence of unusual admin access attempts.
- After applying the patch, verify protections are effective and continue monitoring for potential exploitation attempts.
Compliance & Governance Notes
Standards Impacted:
- ISO 27001: A.12.6.1 – Management of technical vulnerabilities.
- NIST 800-53: SI-2 – Flaw Remediation.
- PCI-DSS: Requires patching within 30 days; missing this deadline may lead to non-compliance under v4.0 “30-day patch window.”
Audit Trail Requirement:
- Log all patch deployments, including date, time, responsible engineer, target systems, and version applied.
- Maintain a revision-controlled change log for “CrushFTP update” entries in your change-management records.
- Provide weekly compliance updates until all instances are confirmed patched.
Policy Alignment:
- Update the Vulnerability Management Policy to mandate regular CrushFTP version checks.
- Revise the Incident Response Plan to cover “CrushFTP authentication bypass” scenarios (detection → isolation → remediation).
Where Can I Find More Information on CVE-2025-20337?
CVSS Breakdown Table
| Metric | Value | Description |
|---|---|---|
| Base Score | 9.8 | Critical severity indicating severe impact and easy exploitability |
| Attack Vector | Network | Vulnerability can be exploited remotely over HTTP/HTTPS |
| Attack Complexity | Low | Exploitation does not need special conditions |
| Privileges Required | None | No authentication or prior access is necessary |
| User Interaction | None | No user involvement is needed to trigger the flaw |
| Scope | UnChanged | Only the affected CrushFTP component is impacted |
| Confidentiality Impact | High | Exploitation can reveal sensitive data |
| Integrity Impact | High | Exploitation can allow changes or bypass security checks |
| Availability Impact | High | Exploitation can disrupt or disable CrushFTP services |
