CVE-2025-54309

CrushFTP Authentication Bypass Vulnerability

CrushFTP 10 before 10.8.5 and 11 before 11.3.4_23 mishandles AS2 validation when the DMZ proxy feature is not used and consequently allows remote attackers to obtain admin access via HTTPS.

Unauthenticated remote attackers can bypass authentication on the affected CrushFTP device leading to unauthorized access.

Mitigations

  • Reference the vendor advisory for mitigation and update instructions.

Rapid Response N-Day Testing

References

🔗 CVE-2025-54309 

🔗 Vendor Advisory 

Read about other CVEs

CVE-2024-23108

Fortinet FortiSIEM 2nd Order Command Injection

Read More

CVE-2023-43208

NextGen Mirth Connect Pre-Auth RCE

Read More

CVE-2023-34992

Fortinet FortiSIEM Command Injection

Read More

NodeZero® Platform

Implement a continuous find, fix, and verify loop with NodeZero

The NodeZero® platform empowers your organization to reduce your security risks by autonomously finding exploitable weaknesses in your network, giving you detailed guidance around how to priortize and fix them, and having you immediately verify that your fixes are effective.
Explore NodeZero

Recognized By