Emergency Security Bulletin: CrushFTP AS2 Authentication Bypass & Admin Access Vulnerability

https://www.redlegg.com/hubfs/Theme-2024/overlay-red.png featured image

By: RedLegg's Cyber Threat Intelligence Team

About:

RedLegg will occasionally communicate vulnerabilities released outside the usual release schedule to provide additional value to our customers. These emergency bulletins describe vulnerabilities or threats we classify as the highest severity level and warrant out-of-band emergency patching or mitigation action.


VULNERABILITIES

CrushFTP AS2 Authentication Bypass & Admin Access Vulnerability

 

CVSS Score: 9.0 (Critical)
Identifier: CVE-2025-54309
Exploit or POC: Yes – actively exploited in the wild via HTTPS zero-day attacks
Update CVE-2025-54309 – CrushFTP Security Advisory

Description: CVE-2025-54309 impacts CrushFTP versions 10 before 10.8.5 and 11 before 11.3.4_23 when the DMZ proxy feature is disabled. The flaw involves improper validation of AS2 protocol input via HTTPS, allowing remote attackers to bypass authentication and gain administrative access. This vulnerability has been actively exploited in real-world campaigns targeting exposed servers starting in mid-July 2025. Attackers have used the HTTP(S) interface to issue crafted AS2 messages, gaining control over instances and creating misleading admin accounts.

Mitigation Recommendation: Upgrade immediately to CrushFTP 10.8.5_12 or 11.3.4_26 (or later).

If patching is delayed, restrict HTTPS administrative access to trusted IP addresses and enforce DMZ proxy configurations.
 
Review logs and configuration files (e.g., MainUsers/default/user.xml) for last login anomalies, unexpected admin users, or missing UI elements that may indicate compromise.
 
Restore default user data from clean backups if tampering is confirmed.
Monitor for indicators such as altered user.xml files, new random user IDs, and unauthorized privilege escalations.
 
Note: Over 1,000 unpatched CrushFTP instances have been identified globally. Rapid detection and patching are essential to prevent further exploitation, including command-and-control footholds, data theft, or lateral movement within the network.