Hackers Target Critical CrushFTP Vulnerability to Gain Administrative Access on Unpatched Servers
July 20, 2025
Vulnerability / Threat Intelligence
A recently identified critical vulnerability in CrushFTP is now being actively exploited. Designated CVE-2025-54309, this flaw has a CVSS score of 9.0. According to the NIST National Vulnerability Database, “CrushFTP versions 10 prior to 10.8.5 and 11 prior to 11.3.4_23, when the DMZ proxy feature is not in use, improperly handles AS2 validation, enabling remote attackers to gain admin access via HTTPS.” CrushFTP reported detecting the first zero-day exploitation of this vulnerability on July 18, 2025, at 9 a.m. CST, although they noted that it might have been weaponized earlier. The company explained, “The attack vector utilized HTTP(S) to exploit the server. While we had addressed a separate AS2-related issue in HTTP(S), we did not realize that a previous bug could be exploited in this manner. It seems hackers observed our code changes and took advantage of them.”
Vulnerability / Threat Intelligence
Exploit of Critical Vulnerability in CrushFTP Grants Unauthorized Admin Access On July 20, 2025, cybersecurity experts reported that a serious security vulnerability in CrushFTP has been actively exploited. This vulnerability, identified as CVE-2025-54309, has been assigned a CVSS score of…