CVE-2025-54309CRITICAL 9.8CISA KEVEPSS p99.8%

CVE-2025-54309 CrushFTP Unprotected Alternate Channel Vulnerability

CrushFTP / CrushFTP

Description

CrushFTP contains an unprotected alternate channel vulnerability. When the DMZ proxy feature is not used, mishandles AS2 validation and consequently allows remote attackers to obtain admin access via HTTPS.

Scoring

CVSS 3.19.8 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS92.03% probability of exploitation · percentile 99.8% · 2026-06-18T12:00:27Z
Published2025-07-18
Last modified2025-11-05

CISA KEV entry

Added to KEV: 2025-07-22

Underlying weaknesses· 1

CWE-420

References

  1. https://www.bleepingcomputer.com/news/security/crushftp-zero-day-exploited-in-attacks-to-gain-admin-access-on-servers/
  2. https://www.crushftp.com/crush11wiki/Wiki.jsp?page=CompromiseJuly2025
  3. https://www.rapid7.com/blog/post/crushftp-zero-day-exploited-in-the-wild/
  4. https://www.vicarius.io/vsociety/posts/cve-2025-54309-detect-crushftp-vulnerability
  5. https://www.vicarius.io/vsociety/posts/cve-2025-54309-mitigate-crushftp-vulnerability
  6. https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-54309

1

TypeTargetConfidenceTier
WeaknessUnprotected Alternate Channelcwe-4200%live

(incoming)1

TypeTargetConfidenceTier
KEVEntry CrushFTP Unprotected Alternate Channel Vulnerabilitykev-cve-2025-543090%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CrushFTP Authentication Bypass Vulnerability
CVE
CrushFTP VFS Sandbox Escape Vulnerability
CVE
CVE-2025-49195
CVE
CVE-2025-10966
CVE
CVE-2026-1502
CVE
CVE-2025-6979
Sourced from NVD + CISA KEV + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.