CrushFTP Hit by Critical 0-Day RCE Vulnerability

Security researchers have disclosed a critical zero-day vulnerability in CrushFTP, a popular file transfer server solution, that allows attackers to execute arbitrary commands on affected systems without authentication.

The vulnerability, tracked as CVE-2025-54309, has been assigned a maximum CVSS score of 9.8 and poses an immediate threat to organizations running vulnerable CrushFTP installations.

Authentication Bypass Leads to Complete System Compromise

The vulnerability stems from a fundamental security failure in CrushFTP’s DMZ proxy implementation.

In typical deployments, this proxy serves as a protective barrier between the public internet and internal admin servers.

However, the flaw allows attackers to bypass authentication entirely by sending specially crafted HTTP POST requests to the /WebInterface/function/ endpoint.

“The server mistakenly processes unauthenticated requests, granting attackers direct command execution capabilities on the underlying operating system,” security researchers explained in their disclosure.

This represents one of the most severe types of vulnerabilities possible, as it provides immediate administrative access to affected systems.

The primary exploitation method leverages XML-RPC (XML Remote Procedure Call) to execute the system.exec function remotely.

The attack involves sending malicious XML payloads that the server processes without proper authentication verification.

A typical attack payload appears as follows:

  system.exec

  

    id

  

When the vulnerable server receives this payload, it executes the specified command and returns the output to the attacker, effectively providing a remote shell interface.

Proof-of-Concept Demonstrates Real-World Impact

Researchers have published a complete proof-of-concept exploit on GitHub, demonstrating multiple attack vectors including direct command execution, command injection through login forms, and unauthorized file uploads.

The PoC script offers reconnaissance capabilities and various payload options.

Basic exploitation can be performed using simple commands:

python3 exploit.py 192.168.1.100 -c "uname -a"

The script also supports alternative attack methods, including command injection through login parameters:

python3 exploit.py 192.168.1.100 -p cmd_inject -c "whoami"

This technique exploits SQL injection-like vulnerabilities by injecting commands into username fields using payloads such as admin’;whoami;#.

The vulnerability receives its maximum CVSS score due to three critical factors: no authentication requirements, complete remote accessibility, and full system compromise capabilities.

Attackers can exploit this flaw from anywhere on the internet to steal sensitive data, install malware, or pivot to additional network resources.

Organizations running CrushFTP should immediately apply available patches or implement network-level protections to block unauthorized access to vulnerable endpoints.

The publication of working exploit code significantly increases the urgency for remediation efforts.

System administrators should also conduct thorough security assessments to identify any signs of compromise, as the vulnerability may have been exploited before its public disclosure.

Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates!