CrushFTP: Unprotected Alternate Channel AS2 validation flaw in CrushFTP (CVE-2025-54309) (CVE-2025-54309) #shorts
Summary
In July 2025, a critical zero-day vulnerability tracked as CVE-2025-54309 was discovered in CrushFTP. Remote attackers are exploiting a flaw in AS2 validation to gain administrative access over HTTPS, leading to potential full system compromise and data theft.
Product details
The affected product is CrushFTP, versions prior to 10.8.5 and 11.3.4_23. CrushFTP is a cross-platform file transfer server that supports FTP, SFTP, HTTP, HTTPS, and other protocols. The vulnerability only affects configurations where the DMZ proxy feature is not enabled.
Vulnerability type summary
CVE-2025-54309 is classified under CWE-420: Unprotected Alternate Channel. The flaw allows an attacker to bypass intended validation checks on AS2 messages, using an alternate communication channel to perform administrative actions without proper authorization.
Details of the vulnerability
CrushFTP’s AS2 validation logic fails to enforce authentication when the DMZ proxy is disabled. An attacker crafts a specially formed HTTPS request that exploits the unprotected alternate channel, bypasses AS2 signature and certificate checks, and gains admin-level privileges. This issue has been observed in real-world attacks since mid-July 2025, where threat actors leveraged the flaw to take control of servers and exfiltrate sensitive files.
Conclusion
Administrators should immediately update CrushFTP to version 10.8.5 or 11.3.4_23, or later. If immediate patching is not possible, enable the DMZ proxy feature as a temporary mitigation. Monitor server logs for unauthorized administrative access and review network traffic for anomalous AS2 requests. Staying current with vendor updates and applying security best practices will help defend against this critical threat.
Watch the full video on YouTube: CVE-2025-54309
Remediation and exploitation details
This chain involves the following actors
- Remote attacker: Exploits validation flaw to gain administrative access
- System administrator: Applies patches and monitors for unauthorized access
This following systems are involved
- CrushFTP server (Secure file transfer and message exchange using AS2): Receives and validates AS2 messages over HTTPS
Attack entry point
- AS2 alternate channel endpoint: HTTPS interface that processes AS2 messages without proper signature validation when the DMZ proxy feature is not enabled
Remediation actions
Exploitation actions
Send an HTTP GET request to the server’s version endpoint or inspect response headers
- GET /CrushFTP HTTP/1.1
- Host: victim.example.com
Build a multipart HTTP POST with manipulated signature headers and payload parts designed to bypass validation logic
- POST /CrushFTP?a=as2AlternateChannel HTTP/1.1
- Content-Type: multipart/signed; boundary="--XYZ"
Send the crafted POST over TLS, exploiting the unprotected channel to have the server accept unsigned or tampered content
- openssl s_client -connect victim.example.com:443 < crafted_request.txt
Leverage the bypassed validation to inject session tokens or administrative credentials into the server state
- Check /CrushFTP/admin?sessionId=INJECTED_TOKEN
Use the injected token to open the web interface as an administrator and perform actions like user creation or configuration export
- https://victim.example.com:443/CrushFTP/admin
Related Content
NOTE: The following related content has not been vetted and may be unsafe.
- https://www.crushftp.com/crush11wiki/Wiki.jsp?page=CompromiseJuly2025
- https://www.rapid7.com/blog/post/crushftp-zero-day-exploited-in-the-wild/
- https://www.bleepingcomputer.com/news/security/crushftp-zero-day-exploited-in-attacks-to-gain-admin-access-on-servers/
- [2025-07-22] CrushFTP Unprotected Alternate Channel Vulnerability allows remote attackers to obtain admin access via HTTPS.
- [2025-07-19] CrushFTP zero-day vulnerability CVE-2025-54309 exploited to gain admin access.
- [2025-07-21] Critical CrushFTP vulnerability exploited, potentially leading to data theft.
- [2025-07-21] A critical vulnerability in CrushFTP, CVE-2025-54309, is being exploited to allow remote attackers to gain admin access via HTTPS.