CVE-2025-54309

Sažetak

CrushFTP 10 before 10.8.5 and 11 before 11.3.4_23, when the DMZ proxy feature is not used, mishandles AS2 validation and consequently allows remote attackers to obtain admin access via HTTPS, as exploited in the wild in July 2025.

Reference

https://www.bleepingcomputer.com/news/security/crushftp-zero-day-exploited-in-attacks-to-gain-admin-access-on-servers/
https://www.crushftp.com/crush11wiki/Wiki.jsp?page=CompromiseJuly2025
https://www.rapid7.com/blog/post/crushftp-zero-day-exploited-in-the-wild/
https://www.vicarius.io/vsociety/posts/cve-2025-54309-detect-crushftp-vulnerability
https://www.vicarius.io/vsociety/posts/cve-2025-54309-mitigate-crushftp-vulnerability

CVSS

Base:	9.0
Impact:	6.0
Exploitability:	2.2

Pristup

Vektor	Složenost	Autentikacija
NETWORK	HIGH	NONE

Impact

Povjerljivost	Cjelovitost	Dostupnost
HIGH	HIGH	HIGH

CVSS vektor

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

Zadnje važnije ažuriranje

25-09-2025 - 18:03

Objavljeno

18-07-2025 - 19:15