On July 18, 2025, a critical zero-day vulnerability, identified as CVE-2025-54309, was revealed by CrushFTP. This flaw has been actively exploited, potentially for an extended period, allowing threat actors to gain remote access through HTTP(S) by reverse engineering the code and exploiting a previously fixed bug. This vulnerability arises from improper handling of AS2 validation. Notably, systems utilizing the DMZ proxy instance remain unaffected. Given the history of targeted attacks on file transfer solutions like CrushFTP, it is anticipated that CVE-2025-54309 will continue to be a focus for cybercriminals. Earlier this year, another CrushFTP vulnerability, CVE-2025-31161, was also extensively exploited. To mitigate risks, users are strongly advised to update to the latest fixed versions: CrushFTP 10 to version 10.8.5 and CrushFTP 11 to version 11.3.4_23. For those unable to patch immediately, deploying the DMZ proxy instance offers a temporary safeguard.
What is CVE-2025-54309?
