New CrushFTP Critical Vulnerability Exploited in the Wild
CVE-2025-54309 could allow remote attackers to obtain admin access via HTTPS
CrushFTP contains an unprotected alternate channel vulnerability. When the DMZ proxy feature is not used, mishandles AS2 validation and consequently allows remote attackers to obtain admin access via HTTPS.
CrushFTP ยท CrushFTP
Known ransomware use: Unknown
Follow the source advisory and validate exposure in your environment.
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Recent reporting that mentions CVE-2025-54309.
CVE-2025-54309 could allow remote attackers to obtain admin access via HTTPS
A newly disclosed critical security flaw in CrushFTP has come under active exploitation in the wild. Assigned the CVE identifier CVE-2025-54309, the vulnerability carries a CVSS score of 9.0
CrushFTP is warning that threat actors are actively exploiting a zero-day vulnerability tracked as CVE-2025-54309, which allows attackers to gain administrative access via the web interface on vulnerable servers. [...]
CrushFTP is warning that threat actors are actively exploiting a zero-day vulnerability tracked as CVE-2025-54309, which allows attackers to gain administrative access via the web interface on vulnerable servers. [...]