CrushFTP Server Unprotected Alternate Channel Vulnerability - CVE-2025-54309 - Vulnerability Database

CrushFTP Server Unprotected Alternate Channel Vulnerability - CVE-2025-54309

Critical

Reference: CVE-2025-54309

NVD Link: https://nvd.nist.gov/vuln/detail/CVE-2025-54309

Title: CrushFTP Server Unprotected Alternate Channel Vulnerability

Overview:

CrushFTP 10 before 10.8.5 and 11 before 11.3.4_23 when the DMZ proxy feature is not used mishandles AS2 validation and consequently allows remote attackers to obtain admin access via HTTPS as exploited in the wild in July 2025.