CVE-2025-54309: Critical CrushFTP Zero-Day – What You Need to Know

What Is CVE-2025-54309?

On July 18, 2025 Ben Spink, the CEO of popular managed file transfer (MTF) solution CrushFTP, released an advisory confirming the existence of a critical Remote Code Execution (RCE) vulnerability in outdated versions of the software. The flaw, tracked as CVE‑2025‑54309, allows unauthenticated attackers to gain full administrative access through specially crafted AS2 requests over HTTPS. It has since been published that enterprise customers with the demilitarized zone (DMZ) feature enabled are not affected by this vulnerability.

• Affected Versions: CrushFTP 10 < 10.8.5_12 and 11 < 11.3.4_26
• CVSS Score: 9.0 (Critical)
• Exploitation: Confirmed in-the-wild attacks since July 18^th 2025
• Root Cause: Improper validation of AS2 requests

Exploitation Methods of a critical Remote Code Execution (RCE) vulnerability

To exploit this vulnerability, an attacker:

1. Identifies a target CrushFTP instance that:
   • Is accessible over HTTPS.
   • Has AS2 enabled.
   • Is not using the DMZ proxy feature.
2. A malicious AS2 payload that impersonates a trusted system is created.
3. This payload is then sent over HTTPS to the exposed CrushFTP endpoint.
   The payload is designed to look like a legitimate AS2 request, but is embedded with administrative instructions.
   
4. Due to improper validation, the server processes the request with elevated privileges.
5. The attacker now has:
   • Full administrative access to the CrushFTP server.
   • Potential access to any files, credentials, or internal services connected via that server.
   • The ability to create new users, modify configurations, or trigger Remote Command Execution (RCE).
   • 

What It Means for Your Organisation

If your CrushFTP server is exposed to the internet, and DMZ proxy isn’t enabled, attackers can:

• Log in as an admin without credentials
• Modify server configurations
• Create new backdoor admin accounts
• Access, steal, or tamper with any hosted data
• Launch lateral attacks into your internal network

In other words — if exploited, this will lead to a full compromise of a sensitive file-transfer system and any data hosted on it.

Is your  CrushFTP server Exposed? What to Look For

If you're handling incident response or threat hunting, focus on:

• MainUsers/default/user.xml changes
  Look for new admin accounts, recently altered timestamps, or the presence of "last_logins"Verifying if the Default user has been given administrative privileges
• Login logs from unfamiliar or foreign IPs
• UI logs showing sudden admin access
• Evidence of credential exports, file downloads, or internal pivoting
• Review the CrushFTP logs for references to As2 headers recorded shortly before a successful login.
  If you know you are not leveraging As2 but can see records in the logs, it is time to look deeper.
• Be careful when checking version numbers as it's already been reported that hackers are displaying a fake version to give a false sense of security.
  CrushFTP have confirmed they provide a validate hash function on the about tab. This allows for comparison checks to help look for extra code that may have been dropped.

Pro tip: many attackers are quietly slipping in and creating stealth admin accounts with random character strings — easily missed.

 What You Should Do Immediately

 If You Are NOT Yet Compromised you MUST:

1. Patch now to 10.8.5_12 or 11.3.4_26
2. Enable DMZ proxy (even if internal)
3. Restrict access to AS2 and admin interfaces (IP allowlisting, VPN)
4. Monitor logs for admin activity and new account creation
5. Alert your security team or contact Foregenix to scan for IOCs

If You SUSPECT a Compromise:

1. Isolate the CrushFTP server
2. Preserve forensic evidence: configs, logs, memory dumps
3. Audit all admin accounts for unknown entries
   -Check last logins times for admin accounts
4. Review file transfer history for possible data exfiltration
5. Rotate all credentials – admin, partner, API keys
6. Rebuild the server from clean backup if needed
7. Notify stakeholders (legal, compliance, partners)

Advice to Clients

“This is not a typical patch-and-wait situation. This is a zero-day with live exploitation. Assume compromise if you haven’t patched. Investigate now, not later.”

Clients should treat Managed File Transfer (MFT) systems like critical infrastructure. They handle sensitive client files, internal business documents, and financial data. A breach here is a GDPR headache and a potential supply chain risk.

🔐 Hardening for the Future

Here’s how to reduce future exposure:

• Only expose CrushFTP externally if absolutely necessary
• Use a DMZ proxy and enforce endpoint validation
• Limit AS2 usage to trusted IPs only
• Use host-based intrusion detection to catch unusual activity
• Enable config file change alerts (watch the MainUsers directory)
• Log and alert on all admin actions and AS2 activity
• Run regular forensic readiness drills
  

Need Help?

We’re actively assisting clients with:

• 🔎 Log analysis and compromise assessments
• 🛠 Forensic triage and evidence preservation
• 📈 Hardening recommendations for CrushFTP and other MFT platforms
• 🧰 Detection rule updates for SIEM/XDR tools

If you use CrushFTP, especially for sensitive partner exchanges, don’t wait. This one’s being exploited fast.

Let’s talk if you need help understanding exposure or need urgent IR support.