CVE-2025-54309

CRITICAL KEV NUCLEI

CrushFTP <10.8.5-11.3.4.23 - RCE

Title source: llm

Description

CrushFTP 10 before 10.8.5 and 11 before 11.3.4_23, when the DMZ proxy feature is not used, mishandles AS2 validation and consequently allows remote attackers to obtain admin access via HTTPS, as exploited in the wild in July 2025.

Exploits (8)

nomisec WORKING POC 27 stars
by watchtowrlabs · remote
https://github.com/watchtowrlabs/watchTowr-vs-CrushFTP-Authentication-Bypass-CVE-2025-54309
nomisec WORKING POC 1 stars
by 0xLittleSpidy · remote
https://github.com/0xLittleSpidy/CVE-2025-54309
nomisec WORKING POC 1 stars
by foregenix · remote
https://github.com/foregenix/CVE-2025-54309
nomisec WRITEUP
by Smileyface101 · infoleak
https://github.com/Smileyface101/CrushFTP-AS2-Bypass-Research-CVE-2025-54309
nomisec WORKING POC
by chin-tech · remote
https://github.com/chin-tech/CrushFTP_CVE-2025-54309
nomisec WORKING POC
by whisperer1290 · remote-auth
https://github.com/whisperer1290/CVE-2025-54309__Enhanced_exploit
nomisec WORKING POC
by brokendreamsclub · remote
https://github.com/brokendreamsclub/CVE-2025-54309

Nuclei Templates (1)

CrushFTP - Authentication Bypass Race Condition
CRITICALVERIFIEDby pussycat0x,watchTowr,dhiyaneshdk
Shodan: http.title:"crushftp" || http.favicon.hash:-1022206565
FOFA: title="crushftp" || icon_hash="-1022206565"

References (6)

Scores

CVSS v3 9.0
EPSS 0.7776
EPSS Percentile 99.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

Details

CISA KEV 2025-07-22
VulnCheck KEV 2025-07-18
ENISA EUVD EUVD-2025-21909
CWE
CWE-420
Status published
Products (1)
crushftp/crushftp 10.0.0 - 10.8.5
Published Jul 18, 2025
KEV Added Jul 22, 2025
Tracked Since Feb 18, 2026