At least 10,000 CrushFTP instances are vulnerable to a critical flaw, which is currently being exploited by attackers, affecting the file transfer solution, according to cybersecurity experts.
The vulnerability, tracked as CVE-2025-54309, involves a mishandling of AS2 validation in all versions of CrushFTP servers prior to 10.8.5 and prior to 11.3.4_23. It can be exploited when the demilitarized zone (DMZ) proxy feature is not used.
When exploited, CVE-2025-54309 allows remote attackers to obtain admin access via HTTPS.
CVE-2025-54309 Exploitation Observed
CrushFTP, LLC, owner of the eponymic multi-protocol, multi-platform file transfer server, disclosed CVE-2025-54309 to a private mailing list on July 18 and later in a public-facing vendor advisory.
MITRE also reported the vulnerability on July 18 and assigned it a CVSS score of 9.
The file transfer company warned that threat actors were observed exploiting the CVE-2025-54309 from July 18 at 9:00 am CST, although exploitation campaigns may have begun earlier.
The vendor also emphasized that systems with up-to-date software are not susceptible to vulnerabilities and encouraged customers to update to a fixed version of CrushFTP on an urgent basis. The latest fixed versions are CrushFTP 11.3.4_26 and CrushFTP 10.8.5_12.
Additionally, CrushFTP stated, "We don't believe people with a DMZ CrushFTP in front of their main are affected by this."
However, in a July 18 advisory, Rapid7 said its researchers were not convinced this statement was true and advised against relying on a DMZ as a mitigation strategy.
On July 21, the Shadowserver Foundation reported observing 1040 unpatched CrushFTP instances, with the top affected countries being the US, Germany and Canada.
The US Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-54309 to its Known Exploited Vulnerabilities (KEV) list on July 22.
Alert! We are scanning for unpatched CrushFTP instances vulnerable to CVE-2025-54309. This vulnerability is exploited in the wild - https://t.co/ztwdvKG9j8
— The Shadowserver Foundation (@Shadowserver) July 21, 2025
We see 1040 instances unpatched on 20th July. Top countries affected: US, Germany, Canadahttps://t.co/ZEsKsromE7 pic.twitter.com/pswSMG6ShK
This is the second time in 2025 that a CrushFTP vulnerability has been observed being exploited in the wild, following the disclosure and exploitation of a critical authentication bypass (CVE-2025-31161) in April.