A weaponized proof-of-concept exploit has been publicly released targeting CVE-2025-54309, a severe authentication bypass vulnerability affecting CrushFTP file transfer servers.
The flaw enables remote attackers to gain administrative privileges through a race condition in AS2 validation processing, circumventing authentication mechanisms entirely.
Key Takeaways
1. Race-condition exploit lets attackers bypass CrushFTP authentication.
2. Public PoC on GitHub confirms vulnerable instances without adding backdoors.
3. Upgrade, enable DMZ proxy, and watch for POST spikes.
First exploited in the wild in July 2025, the vulnerability affects CrushFTP versions 10 before 10.8.5 and 11 before 11.3.4_23 when the DMZ proxy feature remains disabled, a configuration that affects the majority of deployed instances across enterprise environments.
CrushFTP 0-day Vulnerability
The vendor postmortem published on July 18, 2025, acknowledged active targeting of CrushFTP instances but blamed users for failing to apply a silent patch that was never publicly announced.
With over 30,000 instances exposed online, attackers exploited the mishandling of AS2 validation to gain administrative access via HTTPS.
Specifically, the flaw resides in the WebInterface/function/ endpoint, where two sequential HTTP POST requests race to set session state:
By issuing Request 1 (with the AS2-TO: crushadmin header) immediately followed by Request 2 (omitting the header but reusing the same session cookies), attackers win a race condition that impersonates the built-in crushadmin user and successfully invokes setUserItem to create a new administrative account.
Standalone requests return 404, but when executed at high concurrency, Request 2 returns a 200 OK response confirming administrative user creation.
| Risk Factors | Details |
| Affected Products | CrushFTP 10 versions before 10.8.5 CrushFTP 11 versions before 11.3.4_23 |
| Impact | Authentication bypass, Remote code execution |
| Exploit Prerequisites | DMZ proxy feature disabled;ability to send sequential HTTPS POST requestsValid CrushAuth and currentAuth cookies |
| CVSS 3.1 Score | 9.8 (Critical) |
PoC Exploit
WatchTowr Labs has published a fully functional PoC exploit on GitHub, enabling security teams to verify vulnerable CrushFTP instances without adding persistent backdoors.
The PoC simply extracts the user list to confirm exploitation:
Additionally, researchers recommend monitoring for anomalous spikes in POST requests to /WebInterface/function/ with repetitive AS2-TO and cookie patterns.
Security teams should deploy intrusion detection signatures matching this race condition and implement network rate-limiting to mitigate high-frequency exploit attempts.
Mitigation includes:
- Upgrading to CrushFTP 10.8.5 or 11.3.4_23 (or later).
- Enable the DMZ proxy feature if not already configured.
- Audit administrative user additions and validate session reuse patterns.
Organizations leveraging CrushFTP must treat CVE-2025-54309 as a critical risk and act swiftly to defend against in-the-wild exploitation.
Tired of Filling Forms for security & Compliance questionnaires? Automate them in minutes with 1up! Start Your Free Trial Now!
Source link
