CVE-2025-54309

CRITICAL KEV NUCLEI

CrushFTP 10.0.0-10.8.4 and 11.0.0-11.3.3 - Unauthenticated Remote Admin Access via AS2 Validation Bypass

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2025-54309 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added July 22, 2025. EIP tracks 9 public exploits from researchers including watchtowrlabs, 0xLittleSpidy, foregenix. A Nuclei detection template is also available.

AI-analyzed exploit summary This repository contains a functional Python exploit for CVE-2025-54309, an authentication bypass vulnerability in CrushFTP. The PoC leverages a race condition by sending concurrent requests with manipulated session identifiers to extract user lists without proper authentication.

Description

CrushFTP 10 before 10.8.5 and 11 before 11.3.4_23, when the DMZ proxy feature is not used, mishandles AS2 validation and consequently allows remote attackers to obtain admin access via HTTPS, as exploited in the wild in July 2025.

Exploits (9)

nomisec WORKING POC 27 stars
by watchtowrlabs · remote
https://github.com/watchtowrlabs/watchTowr-vs-CrushFTP-Authentication-Bypass-CVE-2025-54309

This repository contains a functional Python exploit for CVE-2025-54309, an authentication bypass vulnerability in CrushFTP. The PoC leverages a race condition by sending concurrent requests with manipulated session identifiers to extract user lists without proper authentication.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Racy
Target: CrushFTP (versions before 10.8.5 and 11 before 11.3.4_23)
No auth needed
Prerequisites: Network access to CrushFTP WebInterface · Python 3.x with requests library
devstral-2 · analyzed Feb 19, 2026 Full analysis →
nomisec WORKING POC 1 stars
by 0xLittleSpidy · remote
https://github.com/0xLittleSpidy/CVE-2025-54309

This repository contains a functional Python exploit for CVE-2025-54309, targeting CrushFTP's WebInterface. The exploit leverages a race condition and improper authentication handling to perform arbitrary file reads, user enumeration, and admin user creation.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Racy
Target: CrushFTP (version not specified)
No auth needed
Prerequisites: Network access to CrushFTP WebInterface · CrushFTP service running on target
devstral-2 · analyzed Feb 19, 2026 Full analysis →
nomisec WORKING POC 1 stars
by foregenix · remote
https://github.com/foregenix/CVE-2025-54309

This repository contains a functional exploit for CVE-2025-54309, targeting CrushFTP. The exploit includes multiple modes (user insertion, JAR upload, command execution) and leverages hardcoded authentication cookies to bypass authentication and perform privileged actions.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: CrushFTP versions 10.8.0_4 and 11.3.3_15-dev
No auth needed
Prerequisites: Network access to the CrushFTP WebInterface · CrushFTP version vulnerable to CVE-2025-54309
devstral-2 · analyzed Feb 19, 2026 Full analysis →
nomisec WRITEUP
by Smileyface101 · infoleak
https://github.com/Smileyface101/CrushFTP-AS2-Bypass-Research-CVE-2025-54309

This repository provides a detailed technical analysis and proof-of-concept for an authentication bypass vulnerability in CrushFTP's AS2 module, including exploitation scripts and detection tools. The research includes a thorough breakdown of the vulnerability, affected endpoints, and mitigation strategies.

Classification
Writeup 95%
Attack Type
Auth Bypass
Complexity
Trivial
Reliability
Reliable
Target: CrushFTP Server 10.x, 11.x
No auth needed
Prerequisites: Access to CrushFTP web interface · Ability to send crafted HTTP requests
devstral-2 · analyzed Feb 19, 2026 Full analysis →
nomisec WORKING POC
by chin-tech · remote
https://github.com/chin-tech/CrushFTP_CVE-2025-54309

This repository contains a functional Python exploit for CVE-2025-54309, a race condition vulnerability in CrushFTP that allows authentication bypass and admin user creation. The exploit leverages concurrent HTTP requests to trigger the race condition, enabling unauthorized user creation with admin privileges.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Racy
Target: CrushFTP < 10.8.5, < 11.3.4_34
No auth needed
Prerequisites: Network access to the CrushFTP WebInterface · Python environment with 'requests' library
devstral-2 · analyzed Feb 19, 2026 Full analysis →
nomisec WORKING POC
by whisperer1290 · remote-auth
https://github.com/whisperer1290/CVE-2025-54309__Enhanced_exploit

This repository contains a functional exploit for CVE-2025-54309, an authentication bypass vulnerability in CrushFTP. The exploit leverages a race condition to create an administrative user by sending concurrent requests with and without the AS2-TO header.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Racy
Target: CrushFTP versions 10 before 10.8.5 and 11 before 11.3.4_23
No auth needed
Prerequisites: Network access to the CrushFTP WebInterface · Vulnerable version of CrushFTP
devstral-2 · analyzed Feb 19, 2026 Full analysis →
nomisec WORKING POC
by blueisbeautiful · poc
https://github.com/blueisbeautiful/CVE-2025-54309

This repository contains a functional exploit for CVE-2025-54309, an authentication bypass vulnerability in CrushFTP. The exploit leverages improper AS2 header validation to create administrative users without authentication.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Trivial
Reliability
Reliable
Target: CrushFTP 10.x < 10.8.5, 11.x < 11.3.4_23
No auth needed
Prerequisites: network access to CrushFTP WebInterface · Python 3.x with requests library
devstral-2 · analyzed May 12, 2026 Full analysis →
nomisec WORKING POC
by fuckyourheroes · poc
https://github.com/fuckyourheroes/CVE-2025-54309

This repository contains a functional exploit for CVE-2025-54309, an authentication bypass vulnerability in CrushFTP. The exploit leverages improper AS2 header validation to create administrative users without authentication.

Classification
Working Poc 100%
Attack Type
Auth Bypass
Complexity
Trivial
Reliability
Reliable
Target: CrushFTP 10.x < 10.8.5, 11.x < 11.3.4_23
No auth needed
Prerequisites: network access to CrushFTP WebInterface · Python 3.x with requests library
devstral-2 · analyzed May 03, 2026 Full analysis →
nomisec WORKING POC
by brokendreamsclub · remote
https://github.com/brokendreamsclub/CVE-2025-54309

This repository contains a functional exploit for CVE-2025-54309, an authentication bypass vulnerability in CrushFTP. The exploit leverages improper AS2 header validation to create administrative users without authentication.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Trivial
Reliability
Reliable
Target: CrushFTP 10.x < 10.8.5, 11.x < 11.3.4_23
No auth needed
Prerequisites: Network access to CrushFTP WebInterface · Python 3.x with requests library
devstral-2 · analyzed Feb 19, 2026 Full analysis →

Nuclei Templates (1)

CrushFTP - Authentication Bypass Race Condition
CRITICALVERIFIEDby pussycat0x,watchTowr,dhiyaneshdk
Shodan: http.title:"crushftp" || http.favicon.hash:-1022206565
FOFA: title="crushftp" || icon_hash="-1022206565"

References (6)

Core 6

Scores

CVSS v3 9.0
EPSS 0.7680
EPSS Percentile 99.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable no
Technical Impact total

Details

CISA KEV 2025-07-22
VulnCheck KEV 2025-07-18
ENISA EUVD EUVD-2025-21909
CWE
CWE-420
Status published
Products (1)
crushftp/crushftp 10.0.0 - 10.8.5
Published Jul 18, 2025
KEV Added Jul 22, 2025
Tracked Since Feb 18, 2026