External risk intelligence

CrushFTP DMZ Proxy Vulnerability Allows Admin Access

CVE advisoryKnown Exploit

CVE-2025-54309

A vulnerability in CrushFTP's AS2 validation can allow remote attackers to obtain administrative access to affected systems. This could lead to a compromise of data and business operations.

5Halo Surface Signal

Crushftp

10.0.0 to before 10.8.511.0.0 to before 11.3.4_23

External exposure likelihood

Halo Surface Signal score for CVE-2025-54309

CrushFTP is a file transfer server designed to be accessed over the internet for file management and transfers. The vulnerability affects the application directly via HTTPS, which is the primary public-facing interface for this product in standard deployments.

Horizon Alert

Summary of the vulnerability and why it matters

A vulnerability in CrushFTP's AS2 validation feature, when not utilizing the DMZ proxy, can be exploited by remote attackers. This flaw allows for unauthorized administrative access to the affected systems. The impact can include a complete compromise of the server's control and data.

Vulnerable CrushFTP feature: AS2 validation
Core weakness: Improper AS2 validation handling
Main business impact: Unauthorized administrative access

Attack Path

How an attacker could exploit the issue

This vulnerability allows an attacker to gain administrative access to affected systems. The attack exploits a weakness in how the application handles AS2 validation when a specific security feature, the DMZ proxy, is not in use. This oversight enables unauthorized remote access through HTTPS, which has been observed in active exploitation.

External access to the application is required.
An attacker gains administrative control.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability presents a significant threat due to its potential for attackers to gain administrative access to affected systems. The exploitation occurs remotely and does not require any prior access or specific user interaction, making it a prime target for sophisticated adversaries. Given the ease of exploitation and the critical access it grants, organizations using this software should prioritize addressing this issue.

Likely attacker skill level: Low
Required access or conditions: None
Business risk or urgency: High

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

An organization using CrushFTP should take immediate steps to identify and secure its assets affected by this vulnerability. The described issue allows for remote attackers to gain administrative access, posing a significant risk to business operations and data confidentiality. Prompt action is necessary to mitigate potential compromise and maintain system integrity.

Identify all instances of the affected software.
Limit external access to vulnerable systems.
Apply vendor updates, verify, and monitor.

Frequently asked questions

What is CrushFTP and its primary function?

CrushFTP is file transfer server software utilized for secure and efficient file sharing and management by businesses and individuals over the internet.

How does CVE-2025-54309 grant administrative privileges?

CVE-2025-54309 is a weakness in CrushFTP's AS2 validation process. When the DMZ proxy feature is disabled, this validation is improperly handled, enabling remote attackers to achieve administrative control via HTTPS.

What conditions are necessary for an attacker to exploit this vulnerability?

An attacker must be able to access the CrushFTP server through HTTPS. The vulnerability is present when the DMZ proxy feature is not utilized, and the AS2 validation is mishandled.

What is the significance of CVE-2025-54309 in the current threat landscape?

Halo Surface Signal indicates this vulnerability is 'very likely' to be exploited. CrushFTP is designed for internet-facing file management, and the flaw allows remote administrative access via its primary HTTPS interface, posing a significant risk.

What actions should organizations take to address this vulnerability?

Organizations should identify all affected CrushFTP instances, restrict external access to vulnerable systems, and apply vendor-provided updates. Verification and ongoing monitoring are also crucial steps to maintain system integrity.

References

Written by Nicholas Merritt

External-surface CVE analysis and Halo Surface Signal prioritization for Halo Threat Intelligence.