Updated:
Status:
CVEs:
Fortra is actively researching a zero-day exploit affecting CrushFTP that could allow remote attackers to obtain administrative privileges over HTTPS due to mishandling of AS2 validation when the DMZ proxy feature is not used. This potentially allows attackers to exfiltrate data, inject backdoors, or pivot into internal systems that rely on the server for trusted exchange.
| CVE | Risk | Score |
|---|---|---|
| CVE-2025-54309 | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H | 9.0, Critical |
IoCs released by CrushFTP
- Default user has admin access
- Long random user IDs created (For example, 7a0d26089ac528941bf8cb998d97f408m)
- Other new usernames created with admin access
- "MainUsers/default/user.xml" file was recently modified and contains a value for "last_logins"
- Buttons from the end-user web interface disappeared, and users previously identified as regular users now have an Admin button
Who is affected?
CVE-2025-54309 impacts the following versions of CrushFTP:
- All versions 10 below 10.8.5.
- All versions 11 below 11.3.4_23.
Note: Enterprise customers with a DMZ CrushFTP in front of their main are unaffected by this vulnerability.
What can I do?
CrushFPT recommends the following actions to mitigate this vulnerability.
- Install the latest available patched versions
- Limit the IP addresses for administrative actions
- Allowlist IPs that can connect to the CrushFTP server
- For enterprise users, use DMZ CrushFTP instance
- Enable automatic updates
Install the latest available patched versions.
- CrushFTP 11.3.4_26
- CrushFTP 10.8.5_12
If your organization was impacted, the vendor recommends the following:
- Restore a prior default user from your backup folder (CrushFTP folder/backup/users/MainUsers/default) from a date/time before the exploit.
- If restoring is not possible, you can delete your default user, and CrushFTP will re-create it, but prior customizations will be lost.
Additional information can be found at:
How is Fortra helping me?
Fortra is actively researching this threat to build detection capabilities.
Updates
Fortra has kicked off the Emerging Threats process for this vulnerability. As new information about this vulnerability and related security coverage becomes available, this article will be updated.
