{"id":1506,"date":"2025-07-21T14:54:34","date_gmt":"2025-07-21T14:54:34","guid":{"rendered":"https:\/\/ft365.org\/index.php\/2025\/07\/21\/new-crushftp-critical-vulnerability-exploited-in-the-wild\/"},"modified":"2025-07-21T14:54:34","modified_gmt":"2025-07-21T14:54:34","slug":"new-crushftp-critical-vulnerability-exploited-in-the-wild","status":"publish","type":"post","link":"http:\/\/ft365.org\/index.php\/2025\/07\/21\/new-crushftp-critical-vulnerability-exploited-in-the-wild\/","title":{"rendered":"New CrushFTP Critical Vulnerability Exploited in the Wild"},"content":{"rendered":"<div>\n<p><img decoding=\"async\" src=\"https:\/\/ft365.org\/wp-content\/uploads\/2025\/06\/localimages\/a7d280e2-8cd7-47a1-ba33-0ae2a304849f.png?width=64&#038;height=64&#038;mode=crop&#038;scale=both&#038;format=webp\" alt=\"Photo of Kevin  Poireault\" loading=\"lazy\"><\/p>\n<\/div>\n<div id=\"cphContent_pnlArticleBody\">\n<div id=\"layout-32c6451d-8932-407c-95f3-58a4ac760507\" data-layout-id=\"2\" data-edit-folder-name=\"text\" data-index=\"0\">\n<p>At least 10,000 CrushFTP instances are vulnerable to a critical flaw, which is currently being exploited by attackers, affecting the file transfer solution, according to cybersecurity experts.<\/p>\n<p>The vulnerability, tracked as CVE-2025-54309, involves a mishandling of AS2 validation in all versions of CrushFTP servers prior to 10.8.5 and prior to 11.3.4_23. It can be exploited when the demilitarized zone (DMZ) proxy feature is not used.<\/p>\n<p>When exploited, CVE-2025-54309 allows remote attackers to obtain admin access via HTTPS.<\/p>\n<h2><strong>CVE-2025-54309 Exploitation Observed<\/strong><\/h2>\n<p>CrushFTP, LLC, owner of the eponymic multi-protocol, multi-platform file transfer server, disclosed CVE-2025-54309 to a private mailing list on July 18 and later in a public-facing vendor advisory.<\/p>\n<p>MITRE also reported the vulnerability on July 18 and assigned it a CVSS score of 9.<\/p>\n<p>The file transfer company warned that threat actors were observed exploiting the CVE-2025-54309 from July 18 at 9:00 am CST, although exploitation campaigns may have begun earlier.<\/p>\n<p>The vendor also emphasized that systems with up-to-date software are not susceptible to vulnerabilities and encouraged customers to update to a fixed version of CrushFTP on an urgent basis. The latest fixed versions are CrushFTP 11.3.4_26 and CrushFTP 10.8.5_12.<\/p>\n<p>Additionally, CrushFTP stated, &#8220;We don&#8217;t believe people with a DMZ CrushFTP in front of their main are affected by this.&#8221;<\/p>\n<p>However, in a July 18 advisory, Rapid7 said its researchers were not convinced this statement was true and advised against relying on a DMZ as a mitigation strategy.<\/p>\n<p>On July 21, the Shadowserver Foundation reported observing 1040 unpatched CrushFTP instances, with the top affected countries being the US, Germany and Canada.<\/p>\n<\/p><\/div>\n<figure id=\"layout-4acc4551-c8d8-4222-a3d0-0dbe8f6becb3\" data-layout-id=\"8\" data-edit-folder-name=\"embed\" data-index=\"1\">\n<blockquote><p>\u2014 The Shadowserver Foundation (@Shadowserver) July 21, 2025<\/p><\/blockquote>\n<\/figure>\n<div id=\"layout-548f44bd-8dcb-466d-8fe7-389e7645be0a\" data-layout-id=\"2\" data-edit-folder-name=\"text\" data-index=\"2\">\n<p>This is the second time in 2025 that a CrushFTP vulnerability has been observed being exploited in the wild, following the disclosure and exploitation of a critical authentication bypass (CVE-2025-31161) in April.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n","protected":false},"excerpt":{"rendered":"<p>At least 10,000 CrushFTP instances are vulnerable to a critical flaw, which is currently being exploited by attackers, affecting the file transfer solution, according to cybersecurity experts. The vulnerability, tracked as CVE-2025-54309, involves a mishandling of AS2 validation in all versions of CrushFTP servers prior to 10.8.5 and prior to 11.3.4_23. It can be exploited<\/p>\n","protected":false},"author":2,"featured_media":1507,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-1506","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized"],"featured_image_urls":{"full":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/07\/1506-119668d2-11d5-42ee-87d9-b32b527ebf9a.jpg",300,300,false],"thumbnail":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/07\/1506-119668d2-11d5-42ee-87d9-b32b527ebf9a-150x150.jpg",150,150,true],"medium":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/07\/1506-119668d2-11d5-42ee-87d9-b32b527ebf9a.jpg",300,300,false],"medium_large":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/07\/1506-119668d2-11d5-42ee-87d9-b32b527ebf9a.jpg",300,300,false],"large":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/07\/1506-119668d2-11d5-42ee-87d9-b32b527ebf9a.jpg",300,300,false],"1536x1536":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/07\/1506-119668d2-11d5-42ee-87d9-b32b527ebf9a.jpg",300,300,false],"2048x2048":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/07\/1506-119668d2-11d5-42ee-87d9-b32b527ebf9a.jpg",300,300,false],"morenews-featured":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/07\/1506-119668d2-11d5-42ee-87d9-b32b527ebf9a.jpg",300,300,false],"morenews-large":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/07\/1506-119668d2-11d5-42ee-87d9-b32b527ebf9a.jpg",300,300,false],"morenews-medium":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/07\/1506-119668d2-11d5-42ee-87d9-b32b527ebf9a.jpg",300,300,false],"crawlomatic_preview_image":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/07\/1506-119668d2-11d5-42ee-87d9-b32b527ebf9a-146x146.jpg",146,146,true]},"author_info":{"display_name":"henry","author_link":"http:\/\/ft365.org\/index.php\/author\/henry\/"},"category_info":"<a href=\"http:\/\/ft365.org\/index.php\/category\/uncategorized\/\" rel=\"category tag\">Uncategorized<\/a>","tag_info":"Uncategorized","comment_count":"0","_links":{"self":[{"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts\/1506","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/comments?post=1506"}],"version-history":[{"count":0,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts\/1506\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/media\/1507"}],"wp:attachment":[{"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/media?parent=1506"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/categories?post=1506"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/tags?post=1506"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}