CrushFTP 10 before 10.8.5 and 11 before 11.3.4_23, when the DMZ proxy feature is not used, mishandles AS2 validation and consequently allows remote attackers to obtain admin access via HTTPS, as exploited in the wild in July 2025.
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:HCrushftp
APPCrushftp10.0.0 – 10.8.5 (bez)11.0.0 – 11.3.4_23 (bez)
CISA KEV — detailsi
- Vendori
- CrushFTP
- Producti
- CrushFTP
- Added to KEVi
- July 22, 2025
- Remediation deadline (US Federal)i
- August 12, 2025(overdue)
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
CrushFTP contains an unprotected alternate channel vulnerability. When the DMZ proxy feature is not used, mishandles AS2 validation and consequently allows remote attackers to obtain admin access via HTTPS.
Related vulnerabilities
CrushFTP – pominięcie uwierzytelnienia i przejęcie konta administratora
Server Side Template Injection w CrushFTP — RCE bez uwierzytelnienia
CrushFTP: Przejęcie konta przez błąd w resetowaniu hasła
CrushFTP – krytyczna podatność na manipulację atrybutami obiektów (przed wersją 10.5.1)
CrushFTP 8.x before 8.2.0 has a serialization vulnerability.