A critical security flaw, CVE-2025-54309, in CrushFTP allows remote attackers to gain admin access through HTTPS. The vulnerability primarily affects CrushFTP versions 10 prior to 10.8.5 and 11 prior to 11.3.4_23, specifically when the DMZ proxy feature isn't utilized. Detected on July 18, 2025, exploitations may have begun earlier. Attackers exploited a previously known bug after observing code changes made by CrushFTP. The flaw poses significant risks in sectors where sensitive file transfers are managed, such as government and healthcare, allowing potential data exfiltration and internal system breaches.
"CrushFTP 10 before 10.8.5 and 11 before 11.3.4_23, when the DMZ proxy feature is not used, mishandles AS2 validation and consequently allows remote attackers to obtain admin access via HTTPS."
"The attack vector was HTTP(S) for how they could exploit the server. We had fixed a different issue related to AS2 in HTTP(S) not realizing that a prior bug could be used like this exploit was."
"Without DMZ isolation, the exposed instance becomes a single point of failure. A compromised instance can allow attackers to exfiltrate data, inject backdoors, or pivot into internal systems that rely on the server for trusted exchange."
"The unknown threat actors managed to reverse engineer its source code and discovered the new flaw to target devices that are yet to be updated to the latest versions."
Collection
[
|
...
]