Vulnerability-Lookup

CVE-2025-54309 (GCVE-0-2025-54309)

Vulnerability from cvelistv5 – Published: 2025-07-18 00:00 – Updated: 2025-10-21 22:45

CISA Shadowserver KEVIntel

Summary

CrushFTP 10 before 10.8.5 and 11 before 11.3.4_23, when the DMZ proxy feature is not used, mishandles AS2 validation and consequently allows remote attackers to obtain admin access via HTTPS, as exploited in the wild in July 2025.

Severity

9 (Critical)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

SSVC

Exploitation: active Automatable: no Technical Impact: total

CISA Coordinator (v2.0.3)

CWE

CWE-420 - Unprotected Alternate Channel

Assigner

mitre

References

6 references

URL	Tags
https://www.crushftp.com/crush11wiki/Wiki.jsp?pag…
https://www.rapid7.com/blog/post/crushftp-zero-da…
https://www.bleepingcomputer.com/news/security/cr…
https://www.vicarius.io/vsociety/posts/cve-2025-5…
https://www.vicarius.io/vsociety/posts/cve-2025-5…
https://www.cisa.gov/known-exploited-vulnerabilit…	government-resource

Impacted products

1 product

Vendor	Product	Version
CrushFTP	CrushFTP	Affected: 10 , < 10.8.5 (custom) Affected: 11 , < 11.3.4_23 (custom)

CISA

Known Exploited Vulnerability - GCVE BCP-07 Compliant

KEV entry ID: 2736c737-51bf-40cc-b7a0-379050a01d38

Vulnerability ID: CVE-2025-54309

Status: Confirmed

Status Updated: 2025-07-22 00:00 UTC

Exploited: Yes

Timestamps

First Seen: 2025-07-22

Asserted: 2025-07-22

Scope

Notes: KEV entry: CrushFTP Unprotected Alternate Channel Vulnerability | Affected: CrushFTP / CrushFTP | Description: CrushFTP contains an unprotected alternate channel vulnerability. When the DMZ proxy feature is not used, mishandles AS2 validation and consequently allows remote attackers to obtain admin access via HTTPS. | Required action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. | Due date: 2025-08-12 | Known ransomware campaign use (KEV): Unknown | Notes (KEV): https://www.crushftp.com/crush11wiki/Wiki.jsp?page=CompromiseJuly2025 ; https://nvd.nist.gov/vuln/detail/CVE-2025-54309

Evidence

Type: Vendor Report

Signal: Successful Exploitation

Confidence: 80%

Source: cisa-kev

Details

Cwes	CWE-420
Feed	CISA Known Exploited Vulnerabilities Catalog
Product	CrushFTP
Due Date	2025-08-12
Date Added	2025-07-22
Vendorproject	CrushFTP
Vulnerabilityname	CrushFTP Unprotected Alternate Channel Vulnerability
Knownransomwarecampaignuse	Unknown

References

CVE-2025-54309

Created: 2026-02-02 12:25 UTC | Updated: 2026-02-06 07:17 UTC

Shadowserver

Known Exploited Vulnerability - GCVE BCP-07 Compliant

KEV entry ID: f8326a46-a223-451d-beb1-06fddc836eec

Vulnerability ID: CVE-2025-54309

Status: Confirmed

Status Updated: 2025-12-11 00:00 UTC

Exploited: Yes

Characteristics

Severity: 98.0

Timestamps

First Seen: 2025-10-10

Asserted: 2025-10-10

Last Seen: 2025-12-11

Scope

Asset Exposure: ['internet-facing']

Evidence

Type: Honeypot

Signal: In The Wild Attempts

Confidence: 70%

Source: shadowserver

Details

1D	1
Iot	no
Feed	Shadowserver Foundation honeypot/exploited-vulnerabilities
Type	http-scan
Class	file-transfer
7D Avg	1
Vendor	CrushFTP
30D Avg	0
90D Avg	1
Product	CrushFTP
Cisa Kev	yes
Connections	209
Observation Date	2025-12-11
Vulnerability Class	CVSS
Vulnerability Score	9.8
Vulnerability Severity	Critical

References

Created: 2026-06-30 09:42 UTC | Updated: 2026-06-30 10:22 UTC

KEVIntel

Known Exploited Vulnerability - GCVE BCP-07 Compliant

KEV entry ID: b93ad509-263a-474e-8433-c5e5670ae490

Vulnerability ID: CVE-2025-54309

Status: Confirmed

Status Updated: 2026-06-01 10:37 UTC

Exploited: Yes

Timestamps

First Seen: 2026-06-01

Asserted: 2026-06-01

Scope

Notes: KEVIntel entry: CrushFTP 10 before 10.8.5 and 11 before 11.3.4_23, when the DMZ proxy feature is not used, mishandles AS2 validation and consequently allows remote... | Affected: CrushFTP / CrushFTP | CVSS: 9.0 (CRITICAL) | EPSS: 0.92034 | Used in malware: unknown | Not yet in CISA KEV: False

Evidence

Type: Public Report

Signal: Successful Exploitation

Confidence: 70%

Source: kevintel

Details

Feed	KEVIntel (kevintel.com)
Title	CrushFTP 10 before 10.8.5 and 11 before 11.3.4_23, when the DMZ proxy feature is not used, mishandles AS2 validation and consequently allows remote...
Vendor	CrushFTP
Product	CrushFTP
Added Date	2026-06-01T10:37:11.050Z
Cvss Score	9.0
Epss Score	0.92034
Cvss Severity	CRITICAL
Epss Percentile	0.99808
Used In Malware	unknown
Ahead Of Cisa Kev	`{ "count": 1, "unit": "day" }`
Not Yet In Cisa Kev	False

References

Created: 2026-06-23 14:03 UTC | Updated: 2026-06-23 14:03 UTC

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-54309",
                "options": [
                  {
                    "Exploitation": "active"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-08-15T18:50:07.009232Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          },
          {
            "other": {
              "content": {
                "dateAdded": "2025-07-22",
                "reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-54309"
              },
              "type": "kev"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-21T22:45:21.853Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "government-resource"
            ],
            "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-54309"
          }
        ],
        "timeline": [
          {
            "lang": "en",
            "time": "2025-07-22T00:00:00.000Z",
            "value": "CVE-2025-54309 added to CISA KEV"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "CrushFTP",
          "vendor": "CrushFTP",
          "versions": [
            {
              "lessThan": "10.8.5",
              "status": "affected",
              "version": "10",
              "versionType": "custom"
            },
            {
              "lessThan": "11.3.4_23",
              "status": "affected",
              "version": "11",
              "versionType": "custom"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:crushftp:crushftp:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "10.8.5",
                  "versionStartIncluding": "10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:crushftp:crushftp:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "11.3.4_23",
                  "versionStartIncluding": "11",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "CrushFTP 10 before 10.8.5 and 11 before 11.3.4_23, when the DMZ proxy feature is not used, mishandles AS2 validation and consequently allows remote attackers to obtain admin access via HTTPS, as exploited in the wild in July 2025."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 9,
            "baseSeverity": "CRITICAL",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-420",
              "description": "CWE-420 Unprotected Alternate Channel",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-09-25T16:33:25.474Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "url": "https://www.crushftp.com/crush11wiki/Wiki.jsp?page=CompromiseJuly2025"
        },
        {
          "url": "https://www.rapid7.com/blog/post/crushftp-zero-day-exploited-in-the-wild/"
        },
        {
          "url": "https://www.bleepingcomputer.com/news/security/crushftp-zero-day-exploited-in-attacks-to-gain-admin-access-on-servers/"
        },
        {
          "url": "https://www.vicarius.io/vsociety/posts/cve-2025-54309-detect-crushftp-vulnerability"
        },
        {
          "url": "https://www.vicarius.io/vsociety/posts/cve-2025-54309-mitigate-crushftp-vulnerability"
        }
      ],
      "x_generator": {
        "engine": "enrichogram 0.0.1"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2025-54309",
    "datePublished": "2025-07-18T00:00:00.000Z",
    "dateReserved": "2025-07-18T00:00:00.000Z",
    "dateUpdated": "2025-10-21T22:45:21.853Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "cisa_known_exploited": {
      "cveID": "CVE-2025-54309",
      "cwes": "[\"CWE-420\"]",
      "dateAdded": "2025-07-22",
      "dueDate": "2025-08-12",
      "knownRansomwareCampaignUse": "Unknown",
      "notes": "https://www.crushftp.com/crush11wiki/Wiki.jsp?page=CompromiseJuly2025 ; https://nvd.nist.gov/vuln/detail/CVE-2025-54309 ",
      "product": "CrushFTP",
      "requiredAction": "Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.",
      "shortDescription": "CrushFTP contains an unprotected alternate channel vulnerability. When the DMZ proxy feature is not used, mishandles AS2 validation and consequently allows remote attackers to obtain admin access via HTTPS.",
      "vendorProject": "CrushFTP",
      "vulnerabilityName": " CrushFTP Unprotected Alternate Channel Vulnerability"
    },
    "epss": {
      "cve": "CVE-2025-54309",
      "date": "2026-06-30",
      "epss": "0.92034",
      "percentile": "0.99807"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-54309\",\"sourceIdentifier\":\"cve@mitre.org\",\"published\":\"2025-07-18T19:15:25.353\",\"lastModified\":\"2026-06-17T09:39:49.643\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"CrushFTP 10 before 10.8.5 and 11 before 11.3.4_23, when the DMZ proxy feature is not used, mishandles AS2 validation and consequently allows remote attackers to obtain admin access via HTTPS, as exploited in the wild in July 2025.\"},{\"lang\":\"es\",\"value\":\"CrushFTP 10 anterior a 10.8.5 y 11 anterior a 11.3.4_23, cuando no se utiliza la funci\u00f3n de proxy DMZ, maneja incorrectamente la validaci\u00f3n AS2 y, en consecuencia, permite a atacantes remotos obtener acceso de administrador a trav\u00e9s de HTTPS, como se explot\u00f3 en la naturaleza en julio de 2025.\"}],\"affected\":[{\"source\":\"cve@mitre.org\",\"affectedData\":[{\"vendor\":\"CrushFTP\",\"product\":\"CrushFTP\",\"defaultStatus\":\"unaffected\",\"versions\":[{\"version\":\"10\",\"lessThan\":\"10.8.5\",\"versionType\":\"custom\",\"status\":\"affected\"},{\"version\":\"11\",\"lessThan\":\"11.3.4_23\",\"versionType\":\"custom\",\"status\":\"affected\"}]}]}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"cve@mitre.org\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H\",\"baseScore\":9.0,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.2,\"impactScore\":6.0},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}],\"ssvcV203\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"ssvcData\":{\"timestamp\":\"2025-08-15T18:50:07.009232Z\",\"id\":\"CVE-2025-54309\",\"options\":[{\"exploitation\":\"active\"},{\"automatable\":\"no\"},{\"technicalImpact\":\"total\"}],\"role\":\"CISA Coordinator\",\"version\":\"2.0.3\"}}]},\"cisaExploitAdd\":\"2025-07-22\",\"cisaActionDue\":\"2025-08-12\",\"cisaRequiredAction\":\"Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.\",\"cisaVulnerabilityName\":\" CrushFTP Unprotected Alternate Channel Vulnerability\",\"weaknesses\":[{\"source\":\"cve@mitre.org\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-420\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:crushftp:crushftp:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"10.0.0\",\"versionEndExcluding\":\"10.8.5\",\"matchCriteriaId\":\"A4950EA3-D20F-48B4-BE81-8018EFB452D8\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:crushftp:crushftp:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"11.0.0\",\"versionEndExcluding\":\"11.3.4_23\",\"matchCriteriaId\":\"BDC2BCC0-AEA5-4A35-BCAD-6287574D4ED5\"}]}]}],\"references\":[{\"url\":\"https://www.bleepingcomputer.com/news/security/crushftp-zero-day-exploited-in-attacks-to-gain-admin-access-on-servers/\",\"source\":\"cve@mitre.org\",\"tags\":[\"Press/Media Coverage\"]},{\"url\":\"https://www.crushftp.com/crush11wiki/Wiki.jsp?page=CompromiseJuly2025\",\"source\":\"cve@mitre.org\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://www.rapid7.com/blog/post/crushftp-zero-day-exploited-in-the-wild/\",\"source\":\"cve@mitre.org\",\"tags\":[\"Press/Media Coverage\"]},{\"url\":\"https://www.vicarius.io/vsociety/posts/cve-2025-54309-detect-crushftp-vulnerability\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.vicarius.io/vsociety/posts/cve-2025-54309-mitigate-crushftp-vulnerability\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-54309\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"tags\":[\"US Government Resource\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-54309\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"active\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-08-15T18:50:07.009232Z\"}}}, {\"other\": {\"type\": \"kev\", \"content\": {\"dateAdded\": \"2025-07-22\", \"reference\": \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-54309\"}}}], \"timeline\": [{\"lang\": \"en\", \"time\": \"2025-07-22T00:00:00.000Z\", \"value\": \"CVE-2025-54309 added to CISA KEV\"}], \"references\": [{\"url\": \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-54309\", \"tags\": [\"government-resource\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-07-18T18:41:09.841Z\"}}], \"cna\": {\"metrics\": [{\"cvssV3_1\": {\"version\": \"3.1\", \"baseScore\": 9, \"baseSeverity\": \"CRITICAL\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H\"}}], \"affected\": [{\"vendor\": \"CrushFTP\", \"product\": \"CrushFTP\", \"versions\": [{\"status\": \"affected\", \"version\": \"10\", \"lessThan\": \"10.8.5\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"11\", \"lessThan\": \"11.3.4_23\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unaffected\"}], \"references\": [{\"url\": \"https://www.crushftp.com/crush11wiki/Wiki.jsp?page=CompromiseJuly2025\"}, {\"url\": \"https://www.rapid7.com/blog/post/crushftp-zero-day-exploited-in-the-wild/\"}, {\"url\": \"https://www.bleepingcomputer.com/news/security/crushftp-zero-day-exploited-in-attacks-to-gain-admin-access-on-servers/\"}, {\"url\": \"https://www.vicarius.io/vsociety/posts/cve-2025-54309-detect-crushftp-vulnerability\"}, {\"url\": \"https://www.vicarius.io/vsociety/posts/cve-2025-54309-mitigate-crushftp-vulnerability\"}], \"x_generator\": {\"engine\": \"enrichogram 0.0.1\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"CrushFTP 10 before 10.8.5 and 11 before 11.3.4_23, when the DMZ proxy feature is not used, mishandles AS2 validation and consequently allows remote attackers to obtain admin access via HTTPS, as exploited in the wild in July 2025.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-420\", \"description\": \"CWE-420 Unprotected Alternate Channel\"}]}], \"cpeApplicability\": [{\"nodes\": [{\"negate\": false, \"cpeMatch\": [{\"criteria\": \"cpe:2.3:a:crushftp:crushftp:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"10.8.5\", \"versionStartIncluding\": \"10\"}, {\"criteria\": \"cpe:2.3:a:crushftp:crushftp:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"11.3.4_23\", \"versionStartIncluding\": \"11\"}], \"operator\": \"OR\"}]}], \"providerMetadata\": {\"orgId\": \"8254265b-2729-46b6-b9e3-3dfca2d5bfca\", \"shortName\": \"mitre\", \"dateUpdated\": \"2025-09-25T16:33:25.474Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-54309\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-10-21T22:45:21.853Z\", \"dateReserved\": \"2025-07-18T00:00:00.000Z\", \"assignerOrgId\": \"8254265b-2729-46b6-b9e3-3dfca2d5bfca\", \"datePublished\": \"2025-07-18T00:00:00.000Z\", \"assignerShortName\": \"mitre\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

BDU:2025-08775

Vulnerability from fstec - Published: 18.07.2025

Title

Уязвимость веб-интерфейса кроссплатформенного FTP-сервера CrushFTP, позволяющая нарушителю выполнить произвольный код с повышенными привилегиями

Description

Уязвимость веб-интерфейса кроссплатформенного FTP-сервера CrushFTP связана с использованием незащищенного альтернативного канала. Эксплуатация уязвимости может позволить нарушителю, действующему удалённо, выполнить произвольный код с повышенными привилегиями путём изменения административного пользователя на пользователя по умолчанию

Severity


                    
                      AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

Vendor

Converge Technology Solutions

Software Name

CrushFTP

Software Version

от 10 до 10.8.5 (CrushFTP), от 11 до 11.3.4_23 (CrushFTP)

Possible Mitigations

Установка обновлений из доверенных источников. В связи со сложившейся обстановкой и введенными санкциями против Российской Федерации рекомендуется устанавливать обновления программного обеспечения только после оценки всех сопутствующих рисков. Компенсирующие меры: - ограничение доступа к уязвимому программному обеспечению, используя схему доступа по «белым спискам»; - использование демилитаризованной зоны (DMZ) при организации доступа к уязвимому программному обеспечению; - использование систем обнаружения и предотвращения вторжений для обнаружения (выявления, регистрации) и реагирования на попытки эксплуатации уязвимостей. Использование рекомендаций: https://www.crushftp.com/crush11wiki/Wiki.jsp?page=CompromiseJuly2025

Reference

https://www.crushftp.com/crush11wiki/Wiki.jsp?page=CompromiseJuly2025 https://www.bleepingcomputer.com/news/security/new-crushftp-zero-day-exploited-in-attacks-to-hijack-servers/

CWE

CWE-420

JSON

To clipboard

{
  "CVSS 2.0": "AV:N/AC:H/Au:N/C:C/I:C/A:C",
  "CVSS 3.0": "AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
  "CVSS 4.0": null,
  "remediation_\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": null,
  "remediation_\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435": null,
  "\u0412\u0435\u043d\u0434\u043e\u0440 \u041f\u041e": "Converge Technology Solutions",
  "\u0412\u0435\u0440\u0441\u0438\u044f \u041f\u041e": "\u043e\u0442 10 \u0434\u043e 10.8.5 (CrushFTP), \u043e\u0442 11 \u0434\u043e 11.3.4_23 (CrushFTP)",
  "\u0412\u043e\u0437\u043c\u043e\u0436\u043d\u044b\u0435 \u043c\u0435\u0440\u044b \u043f\u043e \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044e": "\u0423\u0441\u0442\u0430\u043d\u043e\u0432\u043a\u0430 \u043e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0439 \u0438\u0437 \u0434\u043e\u0432\u0435\u0440\u0435\u043d\u043d\u044b\u0445 \u0438\u0441\u0442\u043e\u0447\u043d\u0438\u043a\u043e\u0432. \u0412 \u0441\u0432\u044f\u0437\u0438 \u0441\u043e \u0441\u043b\u043e\u0436\u0438\u0432\u0448\u0435\u0439\u0441\u044f \u043e\u0431\u0441\u0442\u0430\u043d\u043e\u0432\u043a\u043e\u0439 \u0438 \u0432\u0432\u0435\u0434\u0435\u043d\u043d\u044b\u043c\u0438 \u0441\u0430\u043d\u043a\u0446\u0438\u044f\u043c\u0438 \u043f\u0440\u043e\u0442\u0438\u0432 \u0420\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u043e\u0439 \u0424\u0435\u0434\u0435\u0440\u0430\u0446\u0438\u0438 \u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0443\u0435\u0442\u0441\u044f \u0443\u0441\u0442\u0430\u043d\u0430\u0432\u043b\u0438\u0432\u0430\u0442\u044c \u043e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u044f \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f \u0442\u043e\u043b\u044c\u043a\u043e \u043f\u043e\u0441\u043b\u0435 \u043e\u0446\u0435\u043d\u043a\u0438 \u0432\u0441\u0435\u0445 \u0441\u043e\u043f\u0443\u0442\u0441\u0442\u0432\u0443\u044e\u0449\u0438\u0445 \u0440\u0438\u0441\u043a\u043e\u0432.\n\n\u041a\u043e\u043c\u043f\u0435\u043d\u0441\u0438\u0440\u0443\u044e\u0449\u0438\u0435 \u043c\u0435\u0440\u044b:\n- \u043e\u0433\u0440\u0430\u043d\u0438\u0447\u0435\u043d\u0438\u0435 \u0434\u043e\u0441\u0442\u0443\u043f\u0430 \u043a \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u043c\u0443 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u043c\u0443 \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044e, \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u044f \u0441\u0445\u0435\u043c\u0443 \u0434\u043e\u0441\u0442\u0443\u043f\u0430 \u043f\u043e \u00ab\u0431\u0435\u043b\u044b\u043c \u0441\u043f\u0438\u0441\u043a\u0430\u043c\u00bb;\n- \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435 \u0434\u0435\u043c\u0438\u043b\u0438\u0442\u0430\u0440\u0438\u0437\u043e\u0432\u0430\u043d\u043d\u043e\u0439 \u0437\u043e\u043d\u044b (DMZ) \u043f\u0440\u0438 \u043e\u0440\u0433\u0430\u043d\u0438\u0437\u0430\u0446\u0438\u0438 \u0434\u043e\u0441\u0442\u0443\u043f\u0430 \u043a \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u043c\u0443 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u043c\u0443 \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044e;\n- \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435 \u0441\u0438\u0441\u0442\u0435\u043c \u043e\u0431\u043d\u0430\u0440\u0443\u0436\u0435\u043d\u0438\u044f \u0438 \u043f\u0440\u0435\u0434\u043e\u0442\u0432\u0440\u0430\u0449\u0435\u043d\u0438\u044f \u0432\u0442\u043e\u0440\u0436\u0435\u043d\u0438\u0439 \u0434\u043b\u044f \u043e\u0431\u043d\u0430\u0440\u0443\u0436\u0435\u043d\u0438\u044f (\u0432\u044b\u044f\u0432\u043b\u0435\u043d\u0438\u044f, \u0440\u0435\u0433\u0438\u0441\u0442\u0440\u0430\u0446\u0438\u0438) \u0438 \u0440\u0435\u0430\u0433\u0438\u0440\u043e\u0432\u0430\u043d\u0438\u044f \u043d\u0430 \u043f\u043e\u043f\u044b\u0442\u043a\u0438 \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0435\u0439.\n\n\u0418\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435 \u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0430\u0446\u0438\u0439:\nhttps://www.crushftp.com/crush11wiki/Wiki.jsp?page=CompromiseJuly2025",
  "\u0414\u0430\u0442\u0430 \u0432\u044b\u044f\u0432\u043b\u0435\u043d\u0438\u044f": "18.07.2025",
  "\u0414\u0430\u0442\u0430 \u043f\u043e\u0441\u043b\u0435\u0434\u043d\u0435\u0433\u043e \u043e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u044f": "13.08.2025",
  "\u0414\u0430\u0442\u0430 \u043f\u0443\u0431\u043b\u0438\u043a\u0430\u0446\u0438\u0438": "21.07.2025",
  "\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": "BDU:2025-08775",
  "\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440\u044b \u0434\u0440\u0443\u0433\u0438\u0445 \u0441\u0438\u0441\u0442\u0435\u043c \u043e\u043f\u0438\u0441\u0430\u043d\u0438\u0439 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "CVE-2025-54309",
  "\u0418\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f \u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0430",
  "\u041a\u043b\u0430\u0441\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043a\u043e\u0434\u0430",
  "\u041d\u0430\u0437\u0432\u0430\u043d\u0438\u0435 \u041f\u041e": "CrushFTP",
  "\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u041e\u0421 \u0438 \u0442\u0438\u043f \u0430\u043f\u043f\u0430\u0440\u0430\u0442\u043d\u043e\u0439 \u043f\u043b\u0430\u0442\u0444\u043e\u0440\u043c\u044b": null,
  "\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0432\u0435\u0431-\u0438\u043d\u0442\u0435\u0440\u0444\u0435\u0439\u0441\u0430 \u043a\u0440\u043e\u0441\u0441\u043f\u043b\u0430\u0442\u0444\u043e\u0440\u043c\u0435\u043d\u043d\u043e\u0433\u043e FTP-\u0441\u0435\u0440\u0432\u0435\u0440\u0430 CrushFTP, \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u044e\u0449\u0430\u044f \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e \u0432\u044b\u043f\u043e\u043b\u043d\u0438\u0442\u044c \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u043b\u044c\u043d\u044b\u0439 \u043a\u043e\u0434 \u0441 \u043f\u043e\u0432\u044b\u0448\u0435\u043d\u043d\u044b\u043c\u0438 \u043f\u0440\u0438\u0432\u0438\u043b\u0435\u0433\u0438\u044f\u043c\u0438",
  "\u041d\u0430\u043b\u0438\u0447\u0438\u0435 \u044d\u043a\u0441\u043f\u043b\u043e\u0439\u0442\u0430": "\u0421\u0443\u0449\u0435\u0441\u0442\u0432\u0443\u0435\u0442",
  "\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "\u041d\u0435\u0437\u0430\u0449\u0438\u0449\u0435\u043d\u043d\u044b\u0439 \u0430\u043b\u044c\u0442\u0435\u0440\u043d\u0430\u0442\u0438\u0432\u043d\u044b\u0439 \u043a\u0430\u043d\u0430\u043b (CWE-420)",
  "\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0432\u0435\u0431-\u0438\u043d\u0442\u0435\u0440\u0444\u0435\u0439\u0441\u0430 \u043a\u0440\u043e\u0441\u0441\u043f\u043b\u0430\u0442\u0444\u043e\u0440\u043c\u0435\u043d\u043d\u043e\u0433\u043e FTP-\u0441\u0435\u0440\u0432\u0435\u0440\u0430 CrushFTP \u0441\u0432\u044f\u0437\u0430\u043d\u0430 \u0441 \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435\u043c \u043d\u0435\u0437\u0430\u0449\u0438\u0449\u0435\u043d\u043d\u043e\u0433\u043e \u0430\u043b\u044c\u0442\u0435\u0440\u043d\u0430\u0442\u0438\u0432\u043d\u043e\u0433\u043e \u043a\u0430\u043d\u0430\u043b\u0430. \u042d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u044f \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438 \u043c\u043e\u0436\u0435\u0442 \u043f\u043e\u0437\u0432\u043e\u043b\u0438\u0442\u044c \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e, \u0434\u0435\u0439\u0441\u0442\u0432\u0443\u044e\u0449\u0435\u043c\u0443 \u0443\u0434\u0430\u043b\u0451\u043d\u043d\u043e, \u0432\u044b\u043f\u043e\u043b\u043d\u0438\u0442\u044c \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u043b\u044c\u043d\u044b\u0439 \u043a\u043e\u0434 \u0441 \u043f\u043e\u0432\u044b\u0448\u0435\u043d\u043d\u044b\u043c\u0438 \u043f\u0440\u0438\u0432\u0438\u043b\u0435\u0433\u0438\u044f\u043c\u0438 \u043f\u0443\u0442\u0451\u043c \u0438\u0437\u043c\u0435\u043d\u0435\u043d\u0438\u044f \u0430\u0434\u043c\u0438\u043d\u0438\u0441\u0442\u0440\u0430\u0442\u0438\u0432\u043d\u043e\u0433\u043e \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u044f \u043d\u0430 \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u044f \u043f\u043e \u0443\u043c\u043e\u043b\u0447\u0430\u043d\u0438\u044e",
  "\u041f\u043e\u0441\u043b\u0435\u0434\u0441\u0442\u0432\u0438\u044f \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": null,
  "\u041f\u0440\u043e\u0447\u0430\u044f \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f": null,
  "\u0421\u0432\u044f\u0437\u044c \u0441 \u0438\u043d\u0446\u0438\u0434\u0435\u043d\u0442\u0430\u043c\u0438 \u0418\u0411": "\u0414\u0430",
  "\u0421\u043e\u0441\u0442\u043e\u044f\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041e\u043f\u0443\u0431\u043b\u0438\u043a\u043e\u0432\u0430\u043d\u0430",
  "\u0421\u043f\u043e\u0441\u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044f": "\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f",
  "\u0421\u043f\u043e\u0441\u043e\u0431 \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438": "\u041d\u0435\u0441\u0430\u043d\u043a\u0446\u0438\u043e\u043d\u0438\u0440\u043e\u0432\u0430\u043d\u043d\u044b\u0439 \u0441\u0431\u043e\u0440 \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u0438",
  "\u0421\u0441\u044b\u043b\u043a\u0438 \u043d\u0430 \u0438\u0441\u0442\u043e\u0447\u043d\u0438\u043a\u0438": "https://www.crushftp.com/crush11wiki/Wiki.jsp?page=CompromiseJuly2025\nhttps://www.bleepingcomputer.com/news/security/new-crushftp-zero-day-exploited-in-attacks-to-hijack-servers/",
  "\u0421\u0442\u0430\u0442\u0443\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041f\u043e\u0434\u0442\u0432\u0435\u0440\u0436\u0434\u0435\u043d\u0430 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u0435\u043b\u0435\u043c",
  "\u0422\u0438\u043f \u041f\u041e": "\u0421\u0435\u0442\u0435\u0432\u043e\u0435 \u0441\u0440\u0435\u0434\u0441\u0442\u0432\u043e, \u0421\u0435\u0442\u0435\u0432\u043e\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0435 \u0441\u0440\u0435\u0434\u0441\u0442\u0432\u043e",
  "\u0422\u0438\u043f \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "CWE-420",
  "\u0423\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0412\u044b\u0441\u043e\u043a\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 2.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 7,6)\n\u041a\u0440\u0438\u0442\u0438\u0447\u0435\u0441\u043a\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 3.1 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 9)"
}

FKIE_CVE-2025-54309

Vulnerability from fkie_nvd - Published: 2025-07-18 19:15 - Updated: 2026-06-17 09:39

CISA Shadowserver KEVIntel

Severity

9.0 (Critical) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Summary

References

URL	Tags
cve@mitre.org	https://www.bleepingcomputer.com/news/security/crushftp-zero-day-exploited-in-attacks-to-gain-admin-access-on-servers/	Press/Media Coverage
cve@mitre.org	https://www.crushftp.com/crush11wiki/Wiki.jsp?page=CompromiseJuly2025	Vendor Advisory
cve@mitre.org	https://www.rapid7.com/blog/post/crushftp-zero-day-exploited-in-the-wild/	Press/Media Coverage
cve@mitre.org	https://www.vicarius.io/vsociety/posts/cve-2025-54309-detect-crushftp-vulnerability	Third Party Advisory
cve@mitre.org	https://www.vicarius.io/vsociety/posts/cve-2025-54309-mitigate-crushftp-vulnerability	Third Party Advisory
134c704f-9b21-4f2e-91b3-4a467353bcc0	https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-54309	US Government Resource

Impacted products

	Vendor	Product	Version
	crushftp	crushftp	*
	crushftp	crushftp	*

JSON

To clipboard

{
  "affected": [
    {
      "affectedData": [
        {
          "defaultStatus": "unaffected",
          "product": "CrushFTP",
          "vendor": "CrushFTP",
          "versions": [
            {
              "lessThan": "10.8.5",
              "status": "affected",
              "version": "10",
              "versionType": "custom"
            },
            {
              "lessThan": "11.3.4_23",
              "status": "affected",
              "version": "11",
              "versionType": "custom"
            }
          ]
        }
      ],
      "source": "cve@mitre.org"
    }
  ],
  "cisaActionDue": "2025-08-12",
  "cisaExploitAdd": "2025-07-22",
  "cisaRequiredAction": "Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.",
  "cisaVulnerabilityName": " CrushFTP Unprotected Alternate Channel Vulnerability",
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:crushftp:crushftp:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "A4950EA3-D20F-48B4-BE81-8018EFB452D8",
              "versionEndExcluding": "10.8.5",
              "versionStartIncluding": "10.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:crushftp:crushftp:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "BDC2BCC0-AEA5-4A35-BCAD-6287574D4ED5",
              "versionEndExcluding": "11.3.4_23",
              "versionStartIncluding": "11.0.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "CrushFTP 10 before 10.8.5 and 11 before 11.3.4_23, when the DMZ proxy feature is not used, mishandles AS2 validation and consequently allows remote attackers to obtain admin access via HTTPS, as exploited in the wild in July 2025."
    },
    {
      "lang": "es",
      "value": "CrushFTP 10 anterior a 10.8.5 y 11 anterior a 11.3.4_23, cuando no se utiliza la funci\u00f3n de proxy DMZ, maneja incorrectamente la validaci\u00f3n AS2 y, en consecuencia, permite a atacantes remotos obtener acceso de administrador a trav\u00e9s de HTTPS, como se explot\u00f3 en la naturaleza en julio de 2025."
    }
  ],
  "id": "CVE-2025-54309",
  "lastModified": "2026-06-17T09:39:49.643",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.0,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.2,
        "impactScore": 6.0,
        "source": "cve@mitre.org",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.8,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ],
    "ssvcV203": [
      {
        "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
        "ssvcData": {
          "id": "CVE-2025-54309",
          "options": [
            {
              "exploitation": "active"
            },
            {
              "automatable": "no"
            },
            {
              "technicalImpact": "total"
            }
          ],
          "role": "CISA Coordinator",
          "timestamp": "2025-08-15T18:50:07.009232Z",
          "version": "2.0.3"
        }
      }
    ]
  },
  "published": "2025-07-18T19:15:25.353",
  "references": [
    {
      "source": "cve@mitre.org",
      "tags": [
        "Press/Media Coverage"
      ],
      "url": "https://www.bleepingcomputer.com/news/security/crushftp-zero-day-exploited-in-attacks-to-gain-admin-access-on-servers/"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://www.crushftp.com/crush11wiki/Wiki.jsp?page=CompromiseJuly2025"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Press/Media Coverage"
      ],
      "url": "https://www.rapid7.com/blog/post/crushftp-zero-day-exploited-in-the-wild/"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://www.vicarius.io/vsociety/posts/cve-2025-54309-detect-crushftp-vulnerability"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://www.vicarius.io/vsociety/posts/cve-2025-54309-mitigate-crushftp-vulnerability"
    },
    {
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "tags": [
        "US Government Resource"
      ],
      "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-54309"
    }
  ],
  "sourceIdentifier": "cve@mitre.org",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-420"
        }
      ],
      "source": "cve@mitre.org",
      "type": "Secondary"
    }
  ]
}

GHSA-RH5Q-V9WW-RQGM

Vulnerability from github – Published: 2025-07-18 21:30 – Updated: 2025-10-22 00:33

Details

Severity

9.0 (Critical)


                  
                    CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2025-54309"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-420"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-07-18T19:15:25Z",
    "severity": "CRITICAL"
  },
  "details": "CrushFTP 10 before 10.8.5 and 11 before 11.3.4_23, when the DMZ proxy feature is not used, mishandles AS2 validation and consequently allows remote attackers to obtain admin access via HTTPS, as exploited in the wild in July 2025.",
  "id": "GHSA-rh5q-v9ww-rqgm",
  "modified": "2025-10-22T00:33:19Z",
  "published": "2025-07-18T21:30:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-54309"
    },
    {
      "type": "WEB",
      "url": "https://www.bleepingcomputer.com/news/security/crushftp-zero-day-exploited-in-attacks-to-gain-admin-access-on-servers"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-54309"
    },
    {
      "type": "WEB",
      "url": "https://www.crushftp.com/crush11wiki/Wiki.jsp?page=CompromiseJuly2025"
    },
    {
      "type": "WEB",
      "url": "https://www.rapid7.com/blog/post/crushftp-zero-day-exploited-in-the-wild"
    },
    {
      "type": "WEB",
      "url": "https://www.vicarius.io/vsociety/posts/cve-2025-54309-detect-crushftp-vulnerability"
    },
    {
      "type": "WEB",
      "url": "https://www.vicarius.io/vsociety/posts/cve-2025-54309-mitigate-crushftp-vulnerability"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

NCSC-2025-0234

Vulnerability from csaf_ncscnl - Published: 2025-07-21 08:34 - Updated: 2025-08-28 07:59

Summary

Kwetsbaarheid verholpen in CrushFTP

Notes

The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this page to enhance access to its information and security advisories. The use of this security advisory is subject to the following terms and conditions: NCSC-NL makes every reasonable effort to ensure that the content of this page is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or continuous keeping up-to-date. The information contained in this security advisory is intended solely for the purpose of providing general information to professional users. No rights can be derived from the information provided therein. NCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of this security advisory. This includes damage resulting from the inaccuracy of incompleteness of the information contained in the advisory. This security advisory is subject to Dutch law. All disputes related to or arising from the use of this advisory will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings.

Feiten: CrushFTP heeft een kwetsbaarheid verholpen in versies 10 tot en met 10.8.5 en 11 tot en met 11.3.4_23.

Interpretaties: De kwetsbaarheid bevindt zich in de AS2-validatie van CrushFTP. Deze kwetsbaarheid stelt een aanvaller in staat om via HTTPS administratieve toegang te verkrijgen, vooral wanneer de DMZ-proxyfunctie niet wordt gebruikt. De kwetsbaarheid is actief misbruikt, met meldingen die in juli 2025 zijn verschenen. Ongeautoriseerde toegang kan leiden tot verdere exploitatie van de getroffen systemen. Diverse onderzoekers publiceren inmiddels Proof-of-Concept-code (PoC) waarmee de kwetsbaarheid kan worden aangetoond. Daadwerkelijk misbruik is op dit moment nog niet eenvoudig te realiseren, omdat een zgn. 'Race condition' moet worden gerealiseerd. Het NCSC acht het waarschijnlijk dat op korte termijn werkende exploitcode wordt gepubliceerd, waarmee grootschalig misbruik eenvoudiger wordt.

Oplossingen: CrushFTP heeft updates uitgebracht om de kwetsbaarheid te verhelpen. Zie bijgevoegde referenties voor meer informatie.

Kans: medium

Schade: high

CWE-420: Unprotected Alternate Channel

CVE-2025-54309

CWE-420 - Unprotected Alternate Channel

Affected products

Known affected 2 products

Product	Identifier	Version	Remediation
vers:unknown/10\|<10.8.5 CrushFTP / CrushFTP		vers:unknown/10\|<10.8.5
vers:unknown/11\|<11.3.4_23 CrushFTP / CrushFTP		vers:unknown/11\|<11.3.4_23

References

2 references

URL	Category
https://www.crushftp.com/crush11wiki/Wiki.jsp?pag…	external
https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-…	self

JSON

To clipboard

{
  "document": {
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE"
      }
    },
    "lang": "nl",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this page to enhance access to its information and security advisories. The use of this security advisory is subject to the following terms and conditions:\n\n    NCSC-NL makes every reasonable effort to ensure that the content of this page is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or continuous keeping up-to-date. The information contained in this security advisory is intended solely for the purpose of providing general information to professional users. No rights can be derived from the information provided therein.\n\n    NCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of this security advisory. This includes damage resulting from the inaccuracy of incompleteness of the information contained in the advisory.\n    This security advisory is subject to Dutch law. All disputes related to or arising from the use of this advisory will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings."
      },
      {
        "category": "description",
        "text": "CrushFTP heeft een kwetsbaarheid verholpen in versies 10 tot en met 10.8.5 en 11 tot en met 11.3.4_23.",
        "title": "Feiten"
      },
      {
        "category": "description",
        "text": "De kwetsbaarheid bevindt zich in de AS2-validatie van CrushFTP. Deze kwetsbaarheid stelt een aanvaller in staat om via HTTPS administratieve toegang te verkrijgen, vooral wanneer de DMZ-proxyfunctie niet wordt gebruikt. De kwetsbaarheid is actief misbruikt, met meldingen die in juli 2025 zijn verschenen. Ongeautoriseerde toegang kan leiden tot verdere exploitatie van de getroffen systemen.\n\nDiverse onderzoekers publiceren inmiddels Proof-of-Concept-code (PoC) waarmee de kwetsbaarheid kan worden aangetoond. Daadwerkelijk misbruik is op dit moment nog niet eenvoudig te realiseren, omdat een zgn. \u0027Race condition\u0027 moet worden gerealiseerd.\nHet NCSC acht het waarschijnlijk dat op korte termijn werkende exploitcode wordt gepubliceerd, waarmee grootschalig misbruik eenvoudiger wordt.",
        "title": "Interpretaties"
      },
      {
        "category": "description",
        "text": "CrushFTP heeft updates uitgebracht om de kwetsbaarheid te verhelpen. Zie bijgevoegde referenties voor meer informatie.",
        "title": "Oplossingen"
      },
      {
        "category": "general",
        "text": "medium",
        "title": "Kans"
      },
      {
        "category": "general",
        "text": "high",
        "title": "Schade"
      },
      {
        "category": "general",
        "text": "Unprotected Alternate Channel",
        "title": "CWE-420"
      }
    ],
    "publisher": {
      "category": "coordinator",
      "contact_details": "cert@ncsc.nl",
      "name": "Nationaal Cyber Security Centrum",
      "namespace": "https://www.ncsc.nl/"
    },
    "references": [
      {
        "category": "external",
        "summary": "Reference",
        "url": "https://www.crushftp.com/crush11wiki/Wiki.jsp?page=CompromiseJuly2025"
      }
    ],
    "title": "Kwetsbaarheid verholpen in CrushFTP",
    "tracking": {
      "current_release_date": "2025-08-28T07:59:34.275023Z",
      "generator": {
        "date": "2025-08-04T16:30:00Z",
        "engine": {
          "name": "V.A.",
          "version": "1.2"
        }
      },
      "id": "NCSC-2025-0234",
      "initial_release_date": "2025-07-21T08:34:35.304610Z",
      "revision_history": [
        {
          "date": "2025-07-21T08:34:35.304610Z",
          "number": "1.0.0",
          "summary": "Initiele versie"
        },
        {
          "date": "2025-08-28T07:59:34.275023Z",
          "number": "1.0.1",
          "summary": "Er worden diverse Proof-of-Concepts (PoC) gepubliceerd."
        }
      ],
      "status": "final",
      "version": "1.0.1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:unknown/10|\u003c10.8.5",
                "product": {
                  "name": "vers:unknown/10|\u003c10.8.5",
                  "product_id": "CSAFPID-2987210"
                }
              },
              {
                "category": "product_version_range",
                "name": "vers:unknown/11|\u003c11.3.4_23",
                "product": {
                  "name": "vers:unknown/11|\u003c11.3.4_23",
                  "product_id": "CSAFPID-2987211"
                }
              }
            ],
            "category": "product_name",
            "name": "CrushFTP"
          }
        ],
        "category": "vendor",
        "name": "CrushFTP"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2025-54309",
      "cwe": {
        "id": "CWE-420",
        "name": "Unprotected Alternate Channel"
      },
      "notes": [
        {
          "category": "other",
          "text": "Unprotected Alternate Channel",
          "title": "CWE-420"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-2987210",
          "CSAFPID-2987211"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-54309 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-54309.json"
        }
      ],
      "title": "CVE-2025-54309"
    }
  ]
}

WID-SEC-W-2025-1608

Vulnerability from csaf_certbund - Published: 2025-07-20 22:00 - Updated: 2025-07-22 22:00

Summary

CrushFTP: Schwachstelle ermöglicht Erlangen von Administratorrechten

Severity

Hoch

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung: CrushFTP ist eine File-Transfer Software für verschiedene Plattformen.

Angriff: Ein entfernter, anonymer Angreifer kann eine Schwachstelle in CrushFTP ausnutzen, um Administratorrechte zu erlangen.

Betroffene Betriebssysteme: - Linux - Sonstiges - UNIX - Windows

CVE-2025-54309

Affected products

Known affected 2 products

Product	Identifier	Version	Remediation
CrushFTP CrushFTP <11.3.4_23 CrushFTP / CrushFTP		<11.3.4_23
CrushFTP CrushFTP <10.8.5 CrushFTP / CrushFTP		<10.8.5

References

5 references

URL	Category
https://wid.cert-bund.de/.well-known/csaf/white/2…	self
https://wid.cert-bund.de/portal/wid/securityadvis…	self
https://www.crushftp.com/crush11wiki/Wiki.jsp?pag…	external
https://github.com/advisories/GHSA-rh5q-v9ww-rqgm	external
https://www.cisa.gov/known-exploited-vulnerabilit…	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "hoch"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "CrushFTP ist eine File-Transfer Software f\u00fcr verschiedene Plattformen.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein entfernter, anonymer Angreifer kann eine Schwachstelle in CrushFTP ausnutzen, um Administratorrechte zu erlangen.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- Linux\n- Sonstiges\n- UNIX\n- Windows",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2025-1608 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2025/wid-sec-w-2025-1608.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2025-1608 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2025-1608"
      },
      {
        "category": "external",
        "summary": "CrushFTP Advisory vom 2025-07-20",
        "url": "https://www.crushftp.com/crush11wiki/Wiki.jsp?page=CompromiseJuly2025"
      },
      {
        "category": "external",
        "summary": "GitHub Security Advisory GHSA-rh5q-v9ww-rqgm vom 2025-07-20",
        "url": "https://github.com/advisories/GHSA-rh5q-v9ww-rqgm"
      },
      {
        "category": "external",
        "summary": "CISA Known Exploited Vulnerabilities Catalog vom 2025-07-20",
        "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog"
      }
    ],
    "source_lang": "en-US",
    "title": "CrushFTP: Schwachstelle erm\u00f6glicht Erlangen von Administratorrechten",
    "tracking": {
      "current_release_date": "2025-07-22T22:00:00.000+00:00",
      "generator": {
        "date": "2025-07-23T04:56:57.406+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.4.0"
        }
      },
      "id": "WID-SEC-W-2025-1608",
      "initial_release_date": "2025-07-20T22:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2025-07-20T22:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        },
        {
          "date": "2025-07-22T22:00:00.000+00:00",
          "number": "2",
          "summary": "Schwachstelle wird ausgenutzt"
        }
      ],
      "status": "final",
      "version": "2"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c10.8.5",
                "product": {
                  "name": "CrushFTP CrushFTP \u003c10.8.5",
                  "product_id": "T045521"
                }
              },
              {
                "category": "product_version",
                "name": "10.8.5",
                "product": {
                  "name": "CrushFTP CrushFTP 10.8.5",
                  "product_id": "T045521-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:crushftp:crushftp:10.8.5"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c11.3.4_23",
                "product": {
                  "name": "CrushFTP CrushFTP \u003c11.3.4_23",
                  "product_id": "T045522"
                }
              },
              {
                "category": "product_version",
                "name": "11.3.4_23",
                "product": {
                  "name": "CrushFTP CrushFTP 11.3.4_23",
                  "product_id": "T045522-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:crushftp:crushftp:11.3.4_23"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "CrushFTP"
          }
        ],
        "category": "vendor",
        "name": "CrushFTP"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2025-54309",
      "product_status": {
        "known_affected": [
          "T045522",
          "T045521"
        ]
      },
      "release_date": "2025-07-20T22:00:00.000+00:00",
      "title": "CVE-2025-54309"
    }
  ]
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2025-54309 (GCVE-0-2025-54309)

CISA

Known Exploited Vulnerability - GCVE BCP-07 Compliant

Timestamps

Scope

Evidence

Vendor Report Successful Exploitation Confidence: 80% Source: cisa-kev

Details

References

Shadowserver

Known Exploited Vulnerability - GCVE BCP-07 Compliant

Characteristics

Timestamps

Scope

Evidence

Honeypot In The Wild Attempts Confidence: 70% Source: shadowserver

Details

References

KEVIntel

Known Exploited Vulnerability - GCVE BCP-07 Compliant

Timestamps

Scope

Evidence

Public Report Successful Exploitation Confidence: 70% Source: kevintel

Details

References

BDU:2025-08775

FKIE_CVE-2025-54309

GHSA-RH5Q-V9WW-RQGM

NCSC-2025-0234

WID-SEC-W-2025-1608

Tags

Sightings

Nomenclature