CrushFTP: Older versions can grant unauthorized admin access
A fresh exploit targets a critical vulnerability in older versions of CrushFTP. Secured versions have been available since the beginning of July.
(Image: Alfa Photo/Shutterstock.com)
Anyone using CrushFTP for data transfer should check that the version they are using is up to date. Last Friday, the development team discovered attacks in the wild on older versions, which in the worst case could lead to an attacker taking over the admin account.
According to the CrushFTP developers' advisory, versions released before the beginning of July are vulnerable. Specifically: versions 10 to excluding 10.8.5 and versions from 11 to excluding 11.3.4_23 . Accordingly, all versions from 10.8.5 or 11.3.4_23 upwards are protected. If the DMZ proxy feature is activated, the software is generally not vulnerable.
The attacked vulnerability with the ID CVE-2025-54309 has a CVSS v3 base score of 9.0 (critical). According to the brief description, it is based on a validation error and can be abused via HTTPS to gain admin access. According to the CVSS vector string, neither user interaction nor prior authentication on the part of the attacker is required for an attack; however, the attack complexity is described as high.
Further information and previous attacks
Anyone who has missed the protective updates and has already been compromised or assumes they have been compromised will find indicators of compromise, recommendations for action and some preventive measures for the future in the CrushFTP advisory.
Incidentally, the very brief description of the attack is reminiscent of previous attacks on CrushFTP at the end of last year and during the course of the current year. Active attacks on CrushFTP last made the headlines at heise Security in April: authentication mechanisms could also be bypassed back then (with the DMZ function switched off).
(ovw)
