CrushFTP 0-Day RCE Vulnerability Technical Details and PoC Released
A significant zero-day vulnerability in CrushFTP has been disclosed, allowing unauthenticated attackers to achieve complete remote code execution on vulnerable servers.
The flaw, tracked as CVE-2025-54309 and scoring a critical 9.8 on the CVSS scale, stems from a fundamental breakdown in security checks within CrushFTP’s DMZ proxy configuration.
Security researchers have already released proof-of-concept exploit code, significantly raising the urgency for organizations running CrushFTP to implement immediate protective measures.
Key Takeaways
1. CVE-2025-54309 allows unauthenticated remote code execution on CrushFTP servers.
2. Exploits use malicious XML payloads to bypass authentication and execute system commands.
3. Public exploit code available - immediate patching required.
Technical Details of the Vulnerability
According to pwn.guide advisory, the core vulnerability lies in CrushFTP’s failure to properly authenticate requests to the /WebInterface/function/ admin endpoint.
In normal operations, the DMZ proxy should act as a secure gateway protecting internal admin servers from public internet access.
However, this security mechanism completely fails when processing specially crafted HTTP POST requests, allowing attackers to bypass authentication entirely.
The primary exploitation method leverages the XML-RPC (XML Remote Procedure Call) protocol to execute arbitrary system commands.
Attackers can send malicious XML payloads containing the system.exec function call to execute operating system commands directly. A typical attack payload appears as:
This vulnerability achieves its critical CVSS 9.8 rating due to three key factors: no authentication requirements, remote accessibility from anywhere on the internet, and complete system compromise through RCE capabilities.
| Risk Factors | Details |
| Affected Products | CrushFTP servers with DMZ proxy configuration |
| Impact | Remote Code Execution (RCE) |
| Exploit Prerequisites | – No authentication required- Network access to /WebInterface/function/ endpoint- HTTP POST capability- XML-RPC payload crafting |
| CVSS 3.1 Score | 9.8 (Critical) |
Proof-of-Concept Exploitation
Security researchers have published a comprehensive PoC script on GitHub. The exploit tool supports multiple attack vectors, including direct XML-RPC command execution, command injection through login forms, and malicious file uploads.
The basic exploitation command structure follows: python3 exploit.py 192.168.1.100 -c “uname -a”, where the script generates XML-RPC payloads and delivers them to the vulnerable /WebInterface/function/ endpoint.
Advanced attack modes include reconnaissance scanning with –recon flags and alternative payload types like cmd_inject for command injection attacks.
Organizations running CrushFTP should immediately implement network-level restrictions to block unauthorized access to admin endpoints, apply any available vendor patches, and monitor for suspicious XML-RPC requests targeting the /WebInterface/function/ path.
The combination of public PoC availability and the vulnerability’s severe impact makes this a prime target for widespread exploitation campaigns.
Integrate ANY.RUN TI Lookup with your SIEM or SOAR To Analyses Advanced Threats -> Try 50 Free Trial Searches
Source link
