Skip to content
Home icon Home Arrow Blogs Arrow CrushFTP Vulnerability (CVE-2025-54309):...
breach_cve_trends 21 Jul 2025

CrushFTP Vulnerability (CVE-2025-54309): Securing File Transfer Services

Priyanka AashPriyanka Aash Co-Founder, FireCompass
Summarize and analyze this article with:
ChatGPT Perplexity Grok Gemini Claude

Overview

On July 18, 2025, CrushFTP disclosed a critical vulnerability (CVE-2025-54309, CVSS 9.0) in versions 10 before 10.8.5 and 11 before 11.3.4_23, exploited via HTTP(S) to gain admin access. The flaw, related to AS2 validation mishandling, allows remote attackers to bypass authentication when the DMZ proxy feature is disabled.

Explanation

The vulnerability arises from improper AS2 validation, enabling attackers to send crafted HTTPS requests to gain administrative access. Detected on July 18, 2025, at 9 a.m. CST, the flaw may have been exploited earlier. Attackers used HTTP(S) as the attack vector, leveraging a prior bug in AS2 handling to escalate privileges.

Impact

  • Admin Access: Full control of CrushFTP servers.

  • Data Exfiltration: Potential theft of sensitive files.

  • System Compromise: Execution of arbitrary commands.

  • Service Disruption: Downtime during recovery.

Details

  • MITRE ATT&CK Mapping:

    • Tactic: Initial Access (TA0001): T1190 (Exploit Public-Facing Application) – Exploited AS2 validation flaw.

    • Tactic: Privilege Escalation (TA0004): T1068 (Exploitation for Privilege Escalation) – Gained admin access.

    • Tactic: Execution (TA0002): T1059 (Command and Scripting Interpreter) – Executed arbitrary commands.

  • IOCs:

    • Domains: None publicly disclosed.

    • IP Addresses: None publicly disclosed.

    • File Hashes: None specific.

  • Log Artifacts:

    Jul 18 2025 09:00:12 [CrushFTP] Suspicious HTTPS request from 198.51.100.77
Jul 18 2025 09:00:13 [CrushFTP] Admin access granted to unauthorized user

  • Remediation:

    • Vendor Patch Guidance: Upgrade to CrushFTP 10.8.5 or 11.3.4_23.

    • Temporary Mitigations: Enable DMZ proxy; restrict HTTPS access to trusted IPs.

    • Known Workarounds: Deploy WAF rules to filter malicious AS2 requests.

  • Threat Hunting Recommendations:

    • Log Correlation: Monitor CrushFTP logs for unauthorized admin access or suspicious HTTPS requests.

    • Sigma Rule:

      title: CrushFTP AS2 Validation Exploit
id: d4e5f6a7-b890-1234-cdef-567890123456
status: experimental
description: Detects unauthorized admin access via AS2 flaw
logsource:
  category: application
  product: crushftp
detection:
  selection:
    event_type: admin_access
    status: unauthorized
  condition: selection
level: critical

    • Anomalous Traffic: Monitor for unexpected HTTPS traffic to CrushFTP endpoints.

Takeaway for CISOs

File transfer services are critical attack surfaces. CISOs must ensure timely updates and restrict access to trusted sources.

How FireCompass Can Help: FireCompass Agentic AI Platform identifies exposed file transfer services and tests for vulnerabilities like CVE-2025-54309.

Start your free trial today: www.firecompass.com/trial.

Table of Content

Hackers Wont Wait For Your Next Quarterly Pen Test..

Continuous Pen Test

Similar Blogs

Use Cases
Technology
About
Partner
Resources

FireCompass – An EC Council Ecosystem Company.
©2025 . All Rights Reserved.