CRITICAL🚩 CISA KEV⚡ EXPLOIT🇵🇱 Wersja polska

CVE-2025-54309

CVSS 9.0v3.1pub. 2025-07-18upd. 2025-11-05

CrushFTP 10 before 10.8.5 and 11 before 11.3.4_23, when the DMZ proxy feature is not used, mishandles AS2 validation and consequently allows remote attackers to obtain admin access via HTTPS, as exploited in the wild in July 2025.

CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
  • Crushftp

    APP
    Crushftp
    10.0.0 – 10.8.5 (bez)11.0.0 – 11.3.4_23 (bez)

CISA KEV — detailsi

Vendori
CrushFTP
Producti
CrushFTP
Added to KEVi
July 22, 2025
Remediation deadline (US Federal)i
August 12, 2025(overdue)
Required action (CISA)i

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

CISA descriptioni

CrushFTP contains an unprotected alternate channel vulnerability. When the DMZ proxy feature is not used, mishandles AS2 validation and consequently allows remote attackers to obtain admin access via HTTPS.

🔴
IMMEDIATE ACTION
Actively exploited in the wild (CISA KEV). Patch immediately.
CISA DEADLINE: 12 sierpnia 2025
CWE
References

Related vulnerabilities

CVE-2025-31161CRITICAL9.8⚠ KEVPL ✓ten sam produkt

CrushFTP – pominięcie uwierzytelnienia i przejęcie konta administratora

CVE-2024-4040CRITICAL9.8⚠ KEVPL ✓ten sam produkt

Server Side Template Injection w CrushFTP — RCE bez uwierzytelnienia

CVE-2024-53552CRITICAL9.8PL ✓ten sam produkt

CrushFTP: Przejęcie konta przez błąd w resetowaniu hasła

CVE-2023-43177CRITICAL9.8PL ✓ten sam produkt

CrushFTP – krytyczna podatność na manipulację atrybutami obiektów (przed wersją 10.5.1)

CVE-2017-14035CRITICAL9.8ten sam produkt

CrushFTP 8.x before 8.2.0 has a serialization vulnerability.