A weaponized proof-of-concept exploit has been publicly launched focusing on CVE-2025-54309, a extreme authentication bypass vulnerability affecting CrushFTP file switch servers.
The flaw permits distant attackers to realize administrative privileges by means of a race situation in AS2 validation processing, circumventing authentication mechanisms solely.
Key Takeaways1. Race-condition exploit lets attackers bypass CrushFTP authentication.2. Public PoC on GitHub confirms susceptible situations with out including backdoors.3. Improve, allow DMZ proxy, and look ahead to POST spikes.
First exploited within the wild in July 2025, the vulnerability impacts CrushFTP variations 10 earlier than 10.8.5 and 11 earlier than 11.3.4_23 when the DMZ proxy function stays disabled, a configuration that impacts nearly all of deployed situations throughout enterprise environments.
CrushFTP 0-day Vulnerability
The seller postmortem revealed on July 18, 2025, acknowledged energetic focusing on of CrushFTP situations however blamed customers for failing to use a silent patch that was by no means publicly introduced.
With over 30,000 situations uncovered on-line, attackers exploited the mishandling of AS2 validation to realize administrative entry by way of HTTPS.
Particularly, the flaw resides within the WebInterface/operate/ endpoint, the place two sequential HTTP POST requests race to set session state:
By issuing Request 1 (with the AS2-TO: crushadmin header) instantly adopted by Request 2 (omitting the header however reusing the identical session cookies), attackers win a race situation that impersonates the built-in crushadmin person and efficiently invokes setUserItem to create a brand new administrative account.
Standalone requests return 404, however when executed at excessive concurrency, Request 2 returns a 200 OK response confirming administrative person creation.
Danger FactorsDetailsAffected ProductsCrushFTP 10 variations earlier than 10.8.5CrushFTP 11 variations earlier than 11.3.4_23ImpactAuthentication bypass, Distant code executionExploit PrerequisitesDMZ proxy function disabled;capability to ship sequential HTTPS POST requestsValid CrushAuth and currentAuth cookiesCVSS 3.1 Score9.8 (Important)
PoC Exploit
WatchTowr Labs has revealed a totally practical PoC exploit on GitHub, enabling safety groups to confirm susceptible CrushFTP situations with out including persistent backdoors.
The PoC merely extracts the person record to verify exploitation:
Moreover, researchers suggest monitoring for anomalous spikes in POST requests to /WebInterface/operate/ with repetitive AS2-TO and cookie patterns.
Safety groups ought to deploy intrusion detection signatures matching this race situation and implement community rate-limiting to mitigate high-frequency exploit makes an attempt.
Mitigation consists of:
Upgrading to CrushFTP 10.8.5 or 11.3.4_23 (or later).
Allow the DMZ proxy function if not already configured.
Audit administrative person additions and validate session reuse patterns.
Organizations leveraging CrushFTP should deal with CVE-2025-54309 as a important threat and act swiftly to defend in opposition to in-the-wild exploitation.
Bored with Filling Kinds for safety & Compliance questionnaires? Automate them in minutes with 1up! Begin Your Free Trial Now!
