PoC Available: CrushFTP Zero-Day (CVE-2025-54309) Exploited in the Wild

watchTowr Labs has released a detailed analysis of CVE-2025-54309, a zero-day authentication bypass vulnerability in CrushFTP, the cross-platform file transfer server widely used by enterprises, SMBs, and government agencies. The flaw, which has already been exploited in the wild, allows remote attackers to gain full administrative control through a race condition in HTTP request handling.

CrushFTP is an enterprise file transfer server used by organizations to securely share and manage files over FTP, SFTP, HTTP/S, and other protocols.

According to the CVE description, “CrushFTP 10 before 10.8.5 and 11 before 11.3.4_23, when the DMZ proxy feature is not used, mishandles AS2 validation and consequently allows remote attackers to obtain admin access via HTTPS, as exploited in the wild in July 2025.”

While the bulletin clarifies that the DMZ proxy feature is not affected, watchTowr noted that “administrative access to CrushFTP, for example, as the built-in user crushadmin is effectively game over, with the user able to retrieve sensitive files, create sensitive files and more.”

The breakthrough came from watchTowr’s proprietary honeypot network, Attacker Eye, which captured exploitation attempts. The analysis revealed a pair of HTTP requests used in tandem:

• Request 1 contained the AS2-TO: \crushadmin header, setting the session object to impersonate the built-in admin.
• Request 2 quickly followed, using the same cookies to execute the setUserItem function, adding a new administrative account.

By themselves, neither request succeeded. But, as watchTowr explained, “their combination within the race is key.” When timed correctly, request [2] executed as crushadmin, allowing attackers to create a persistent backdoor.

The vulnerability was added to CISA’s Known Exploited Vulnerabilities (KEV) catalog on July 22, 2025. watchTowr observed large-scale exploitation attempts, with sensors recording “1,190 occurrences of request [1] and 1,192 of request [2]… almost as if they were racing each other (and perhaps unintentionally DoS’ing our sensor).”

This aligns with underground chatter, where ReliaQuest reported that criminals were selling the exploit before it became public.

watchTowr published a detection artefact generator on GitHub to help defenders validate exposure. The proof-of-concept does not create a backdoor account but instead confirms vulnerability by extracting the user list.

Mitigation steps include:

• Updating immediately to CrushFTP 10.8.5 or 11.3.4_23.
• Monitoring HTTP logs for repeated paired requests with the AS2-TO: \crushadmin header.
• Reviewing accounts for unauthorized administrative users.

Related Posts:

• CVE-2025-54309: CrushFTP Targeted in Active Exploits Due to Unpatched Zero-Day Vulnerability
• PoC Exploit Released for Ivanti Connect Secure Flaw CVE-2025-0282 Used in Attacks
• Researchers Detail Critical PHP Flaw CVE-2024-4577 with PoC Exploit Code
• Unpatched Zero-Day Vulnerability in Mitel MiCollab Exposes Businesses to Serious Security Risks
• CVE-2025-2825: Critical Vulnerability in CrushFTP Exposes Servers to Unauthenticated Access Risk

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal

Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy