CVE-2025-54309: New CrushFTP Zero-Day Exploited in the Wild

[Update] “Exploit Details and PoC for CVE-2025-54309 Released”

A zero-day vulnerability in CrushFTP, tracked as CVE-2025-54309, is under active exploitation. The flaw allows attackers to gain administrator-level access through the HTTPS interface on unpatched servers. Successful exploitation can lead to full control of the platform, enabling file theft, privilege escalation, and deeper network compromise.

CrushFTP is widely adopted by organizations that manage sensitive file exchanges across regulated and high-trust environments. Its position as a core component in secure data workflows makes it a valuable target for attackers aiming for privileged access and network footholds.

What Is CVE-2025-54309?

CVE-2025-54309 (CVSS 9.0) is a critical vulnerability caused by improper AS2 validation when the DMZ proxy feature is disabled. Exploiting this flaw allows remote attackers to bypass authentication and perform administrative actions via HTTPS.

The issue affects CrushFTP versions prior to 10.8.5 and 11.3.4_23. Builds released after July 1, 2025, contain the fix. Systems running these updated versions are not vulnerable.

How Attackers Exploit the Flaw

Attackers target the HTTPS interface by sending crafted requests that abuse incomplete validation logic. The bug originated from a rarely used feature, and while a previous update unintentionally mitigated it, adversaries reverse engineered those changes and weaponized the vulnerability in older builds.

After gaining access, attackers can create new administrator accounts, modify default configurations, and maintain persistence. These actions provide control over file transfer operations and open the door to broader compromise.

Active Exploitation and Threat Context

CrushFTP reported detecting active exploitation on July 18, although evidence suggests the attacks may have started earlier. External scans show approximately 295,534 CrushFTP instances exposed to the internet as of July 21, significantly widening the potential attack surface.

Organizations should investigate the following warning signs of compromise:

• Modifications in MainUsers/default/user.xml, including new “last_logins” entries
• Unknown admin accounts with long random IDs, such as 7a0d26089ac528941bf8cb998d97f408m
• Interface anomalies, such as missing UI buttons or unexpected Admin privileges for standard users
• Administrative logins from unfamiliar IP addresses
• Unexplained changes to folder permissions in sensitive directories

These indicators suggest unauthorized access and privilege escalation, both common steps in post-exploitation activity.

Exploit Details and PoC for CVE-2025-54309 Released

Researchers at watchTowr Labs have released a deep dive into how the CrushFTP authentication bypass works in practice. Their honeypot network captured live exploitation attempts, confirming the race condition attack chain that grants attackers full administrative access.

The analysis showed that attackers pair two HTTP requests in quick succession — one impersonating the built-in crushadmin account, followed by another that executes privileged actions under that identity. Alone, neither request succeeds, but when timed correctly, they create a persistent backdoor for adversaries.

To support defenders, researchers also published a Proof-of-Concept (PoC) on GitHub. Instead of creating an admin account, the script safely validates whether a system is exposed by extracting a user list.

How to Mitigate the Risk

The most effective mitigation is to apply the official patch immediately. Organizations should upgrade to CrushFTP 10.8.5 or later for version 10 deployments and 11.3.4_23 or later for version 11. Instances running older builds remain at risk.

If patching cannot be completed immediately, security teams should verify the integrity of key configuration files, especially user.xml, and look for signs of tampering. Restoring the default user configuration from a clean backup can help recover from compromise, provided the backup predates July 16.

Restricting administrative access to trusted IP ranges adds another layer of protection, and enabling automatic updates reduces exposure to future zero-day risks. While deploying a DMZ instance or segmenting the service can help, these measures should complement, not replace, timely patching.

Stay Ahead of Exploits with SOCRadar

Defending against zero-day vulnerabilities like CVE-2025-54309 requires complete visibility and timely intelligence. SOCRadar’s Attack Surface Management (ASM) identifies exposed assets, while its Cyber Threat Intelligence (CTI) module delivers real-time alerts on new vulnerabilities, active exploit campaigns, and IOCs.

With SOCRadar, security teams can:

• Continuously discover internet-facing systems
• Detect vulnerabilities and exploitation trends early
• Track IOCs and gain context for faster remediation

Strengthen your defense strategy with SOCRadar XTI and minimize your exposure to zero-day risks.