What is CrushFTP?
CrushFTP is a widely used enterprise managed file transfer (MFT) server, supporting SFTP, FTP, FTPS, HTTPS, WebDAV, and AS2 protocols. It is deployed by organizations in regulated industries (financial services, healthcare, government) for secure, auditable file transfers with business partners, customers, and internal teams. CrushFTP has been targeted by multiple critical vulnerabilities in recent years — making it a recurring high-value target. AS2 (Applicability Statement 2) is an electronic data interchange protocol used for signed, encrypted business document exchange over HTTPS, commonly used in healthcare (EDI), manufacturing, and finance.
Overview
CVE-2025-54309 is a critical unprotected alternate channel vulnerability (CWE-420) in CrushFTP's AS2 handler. On installations that do not use the CrushFTP DMZ proxy feature, the AS2 protocol's validation logic is mishandled in a way that creates an alternate, unauthenticated HTTPS channel through which a remote attacker can gain full administrative access to the CrushFTP server. Exploitation was detected as a zero-day on 18 July 2025. A working exploit appeared for sale on the cybercriminal forum "Exploit" on 22 July — the same day CISA added the CVE to the KEV catalog.
Affected Versions
| Branch | Vulnerable | Fixed |
|---|---|---|
| CrushFTP 10.x | Prior to 10.8.5_12 | 10.8.5_12 |
| CrushFTP 11.x | Prior to 11.3.4_26 | 11.3.4_26 |
Important condition: The vulnerability is only exploitable when the DMZ proxy feature is NOT used. Installations where CrushFTP's built-in DMZ proxy fronts the server are not reachable via the vulnerable code path. However, most CrushFTP deployments do not use the DMZ proxy feature.
Technical Details
The vulnerability (CWE-420: Unprotected Alternate Channel) is in CrushFTP's AS2 message processing. The AS2 protocol uses cryptographic Message Integrity Checks (MIC) and multipart message envelopes to ensure the authenticity and integrity of exchanged documents. CrushFTP's AS2 handler fails to properly enforce these cryptographic checks — specifically, it does not adequately validate MIC values and does not sanitize multipart message content before processing.
This creates an alternate HTTP channel through which an attacker can craft a malicious AS2 request that bypasses CrushFTP's normal authentication requirements. Because the AS2 handler operates with administrative context, a successful exploit grants the attacker full admin access — enabling account creation, configuration changes, data exfiltration, and arbitrary file operations.
The High Complexity (AC:H) CVSS rating likely reflects a specific constraint in payload construction rather than a general exploitation difficulty, given the confirmed zero-day status and commercial exploit availability.
Discovery
Exploitation was first detected by CrushFTP's own server monitoring on 18 July 2025 at 09:00 CST — a zero-day with no prior external report. A commercial exploit appeared for sale on the cybercriminal forum "Exploit" on 22 July 2025 (discovered by ReliaQuest), suggesting the vulnerability was independently discovered and weaponized by criminal actors before CrushFTP's detection.
Exploitation Context
Confirmed zero-day exploitation in the wild at time of disclosure. CISA added CVE-2025-54309 to the KEV catalog on 22 July 2025 with a 21-day federal remediation deadline. On the same day, ReliaQuest discovered an active forum listing advertising a CrushFTP HTTP zero-day exploit for sale — indicating commercial exploit market activity around this vulnerability. Thousands of CrushFTP servers remained exposed after disclosure. No specific named threat actor group has been publicly attributed.
Remediation
- Upgrade CrushFTP immediately: to version 10.8.5_12+ (for CrushFTP 10) or 11.3.4_26+ (for CrushFTP 11).
- Enable the DMZ proxy feature if operationally feasible — this prevents the vulnerable AS2 code path from being reachable from the internet.
- Restrict HTTPS access to the CrushFTP server's management and AS2 endpoints to trusted IP ranges at the perimeter firewall.
- Review CrushFTP admin logs for suspicious administrative actions occurring before 18 July 2025 — account creation, configuration changes, or new file access patterns.
- Audit all administrator accounts — remove any accounts not created by known administrators.
- Check for web shells or backdoors in the CrushFTP installation directory if exploitation is suspected.
- Rotate all credentials stored in CrushFTP (user passwords, API credentials, SSH keys) and review data for evidence of exfiltration.
Key Details
| Property | Value |
|---|---|
| CVE ID | CVE-2025-54309 |
| Vendor / Product | CrushFTP — CrushFTP |
| NVD Published | 2025-07-18 |
| NVD Last Modified | 2025-11-05 |
| CVSS 3.1 Score | 9 |
| CVSS 3.1 Vector | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H |
| Severity | CRITICAL |
| CWE | CWE-420 find similar ↗ |
| CISA KEV Added | 2025-07-22 |
| CISA KEV Deadline | 2025-08-12 |
| Known Ransomware Use | No |
CVSS 3.1 Breakdown
Required Action
Timeline
| Date | Event |
|---|---|
| 2025-07-18 | Zero-day exploitation first detected by CrushFTP monitoring at 09:00 CST; CVE published; fixed versions released |
| 2025-07-22 | CISA adds to KEV catalog; ReliaQuest discovers exploit for sale on the cybercriminal forum 'Exploit' |
| 2025-08-12 | CISA BOD 22-01 remediation deadline |
References
| Resource | Type |
|---|---|
| CrushFTP Wiki — CompromiseJuly2025 | Vendor Advisory |
| NVD — CVE-2025-54309 | Vulnerability Database |
| CISA KEV Catalog Entry | US Government |
| Rapid7 — CrushFTP Zero-Day Exploited in the Wild | Security Research |
| BleepingComputer — New CrushFTP Zero-Day Exploited to Hijack Servers | News |
| Tenable — CrushFTP Zero-Day CVE-2025-54309 | Security Research |
| ReliaQuest — CrushFTP Exploit Forum Listing | Security Research |