NAVANEM
CVE-2025-54309⚡ exploited in the wild

CrushFTP, authentication bypass via AS2 validation (admin-access zero-day)

CrushFTP mishandles AS2 validation when the DMZ proxy feature is not in use, allowing a remote unauthenticated attacker to obtain administrative access over HTTPS. The vulnerability was exploited in the wild as a zero-day beginning in July 2025, giving attackers admin control of unpatched servers.

Overview

CVE-2025-54309 is a critical authentication bypass in CrushFTP, a popular managed file-transfer server. When the DMZ proxy feature is not in use, the server mishandles AS2 validation, letting a remote unauthenticated attacker gain administrative access over HTTPS. CrushFTP reported in-the-wild exploitation as a zero-day starting in mid-July 2025, with attackers seizing admin control of internet-exposed, unpatched instances. It continues CrushFTP's pattern of being targeted shortly after (or before) each disclosure.

Technical Details

The vulnerability is a flawed protection mechanism around AS2 (the file-exchange protocol) request handling. With the DMZ proxy disabled, a crafted request reaches an administrative code path without proper authentication, allowing the attacker to create or assume an administrative session. From the admin context, the attacker can read/write files, add users, and run server features - effectively full control of the file-transfer platform. CrushFTP recommended customers who had auto-update enabled were protected, while manually-managed servers were the primary victims.

Impact

  • Unauthenticated administrative takeover of the CrushFTP server.
  • Data exposure: MFT servers broker sensitive files between partners and internal systems.
  • Persistence and pivoting: admin access enables backdoor users and downstream attacks.
  • Rapid CISA KEV listing reflects confirmed exploitation.

Mitigation

  1. Upgrade immediately to CrushFTP 11.3.4_23 (11.x) or 10.8.5 (10.x) or later.
  2. Enable the DMZ proxy instance where feasible, which mitigates this attack path.
  3. Review the admin user list and configuration for unauthorized changes; restore from a known-good backup if compromise is found.
  4. Restrict the admin interface to trusted networks and enable automatic updates going forward.

Detection

  • Check the CrushFTP MainUsers/default and user configuration for unexpected admin accounts or modified last_logins.
  • Review server logs for unusual admin sessions and configuration writes from unknown IPs.
  • CrushFTP's release notes document indicators; CISA added the CVE to the KEV catalog on July 22, 2025.

references

#cve-2025-54309#crushftp#managed-file-transfer#authentication-bypass#admin-takeover#zero-day#cwe-287#actively-exploited#cisa-kev#critical-vulnerability

Related topics

CVE
CVE

Fortinet multiple products, authentication bypass via FortiCloud SSO (alternate-channel)

Jan 27, 2026
CVE
CVE

Oracle E-Business Suite, unauthenticated remote code execution (Cl0p EBS campaign)

Oct 5, 2025
CVE
CVE

Palo Alto Networks PAN-OS, GlobalProtect authentication bypass

May 13, 2026
CVE
CVE

Fortinet FortiWeb, relative path traversal authentication bypass to admin RCE

Nov 14, 2025
CVE
CVE

Google Chrome V8, type confusion leading to heap corruption (zero-day)

Sep 24, 2025
CVE
CVE

Fortra GoAnywhere MFT, deserialization RCE (License Servlet)

Sep 18, 2025
CVE
CVE

Citrix NetScaler ADC and Gateway, unauthenticated memory-overflow remote code execution

Aug 26, 2025
CVE
CVE

Apple iOS/iPadOS/macOS Image I/O, out-of-bounds write zero-day

Aug 20, 2025
CVE
CVE

Fortinet FortiVoice and multiple products, unauthenticated stack-based buffer overflow remote code execution

May 13, 2025
CVE
CVE

Palo Alto Networks PAN-OS, management web interface authentication bypass

Feb 12, 2025