CrushFTP 10 before 10.8.5 and 11 before 11.3.4_23, when the DMZ proxy feature is not used, mishandles AS2 validation and consequently allows remote attackers to obtain admin access via HTTPS, as exploited in the wild in July 2025.
Published: 2025-07-19
A critical zero-day flaw in CrushFTP that can grant attackers administrator access was discovered on July 18 and is under active exploitation.
https://www.securityweek.com/exploited-crushftp-zero-day-provides-admin-access-to-servers/
https://www.infosecurity-magazine.com/news/crushftp-critical-vulnerability/
https://www.helpnetsecurity.com/2025/07/21/crushftp-cve-2025-54309-vulnerability-exploited/
https://www.databreachtoday.com/hackers-target-zero-day-vulnerability-to-exploit-crushftp-a-29020
https://thehackernews.com/2025/07/hackers-exploit-critical-crushftp-flaw.html
Published: 2025-07-18
Updated: 2025-07-23
Known Exploited Vulnerability (KEV)
Base Score: 10
Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C
Severity: Critical
Base Score: 9.8
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity: Critical
EPSS: 0.00101
Tenable Research has classified this CVE under the following Vulnerability Watch classification, which includes active and historical (inactive) classifications. You can learn more about these classifications on our blog.
Vulnerability of Interest