—–BEGIN PGP SIGNED MESSAGE—–

Hash: SHA256

Authentication Bypass Vulnerability in CrushFTP

Indian – Computer Emergency Response Team (https://www.cert-in.org.in)

Severity Rating: CRITICAL

Software Affected

CrushFTP version 10 prior to 10.8.5

CrushFTP version 11 prior to 11.3.4_23

Overview

A vulnerability has been reported in CrushFTP that could be exploited by a remote attacker to bypass security restrictions on the targeted system.

Target Audience:

All organizations and individuals using CrushFTP.

Risk Assessment:

High risk of information disclosure and system instability.

Impact Assessment:

Potential for data theft and system compromise.

Description

CrushFTP is a high-performance, secure file transfer solution that supports FTP, SFTP, HTTP/S, and more. It streamlines file management with advanced automation, strong encryption, and flexible scalability for enterprise-level operations.

This vulnerability exists in CrushFTP due to security failure in DMZ proxy implementation and improper AS2 validation.  A remote attacker can exploit this vulnerability by sending a specially HTTP POST requests to the /WebInterface/function/ endpoint.

Successful exploitation of this vulnerability could enable a remote attacker to bypass security restrictions on the targeted system without requiring authentication.

Solution

Apply appropriate updates as provided by the vendor:

https://www.crushftp.com/crush11wiki/Wiki.jsp?page=CompromiseJuly2025

Vendor Information

CrushFTP

https://www.crushftp.com/crush11wiki/Wiki.jsp?page=CompromiseJuly2025

References

CrushFTP

https://www.crushftp.com/crush11wiki/Wiki.jsp?page=CompromiseJuly2025

GB Hackers

https://gbhackers.com/crushftp-hit-by-critical-0-day-rce-vulnerability/

CVE Name

CVE-2025-54309

– —

Thanks and Regards,

CERT-In

Incident Response Help Desk

e-mail: incident@cert-in.org.in

Phone: +91-11-22902657

Toll Free Number: 1800-11-4949

Toll Free Fax : 1800-11-6969

Web: http://www.cert-in.org.in

PGP Fingerprint: A768 083E 4475 5725 B81A A379 2156 C0C0 B620 D0B4

PGP Key information:

https://www.cert-in.org.in/s2cMainServlet?pageid=CONTACTUS

Postal address:

Indian Computer Emergency Response Team (CERT-In)

Ministry of Electronics and Information Technology

Government of India

Electronics Niketan

6, C.G.O. Complex

New Delhi-110 003

—–BEGIN PGP SIGNATURE—–

iQIzBAEBCAAdFiEE6r4Iam/Ey0c/KakL3jCgcSdcys8FAmjlFokACgkQ3jCgcSdc

ys9OzQ/+M2NdGf5hgBnbYEyWJmrW4ETghlsbVBCorzbKT1YutYvP7Md8m7UuJj8x

TqvHykljeW/dfeGLI/0yeEb3dwKfq82+ny7CvgOO0l+hXov6xMRzHZcuObTpUUhp

0WzfLFuwtRJ9q/OrdmFc9W3kunZMRFq1JjKVnxs3lKsV71rqCizBaa/35dK1ysNI

ISMHozXtO3vgxaWC97eAOk5Kl7TVZvXlMFQfusP/PHsJuXA0h/Ypx1aK8b+LGT+v

7rl2sa7Oxn5NdI4APcBbdxciy51X293JgXUYBZoLVCYT/wmQfK3SxcaVijT960jw

FVNZSFyBWFgQoyIFXDx0pk4Mo2uQ0PYn7/2kx7Bp/VpmW5iRFPK/tk57putzEBRd

H05HZGXu49RB/eCDwzcEXJzE4HFNTraeoR2LIStGEuna36lzx83fPQtKtLruMeBq

ak0hZiXtLmO3MISZrGXMTfJUL68POdSPK38BHIqoNpXPJwl3i+iwhzEckkpYOhKA

Dyv+WiNlLLCvqvgxjZZavFw+23UKBAUcKxcCFYIgKzOfDOQlv0oqV1v+8cXyQhyh

ky28upMbTLiTWINW4rph7p0WNRm0X1SOxkYlwld+HSTBdlS8nGyE5CSVZKVDaMXy

2Rs6HydogS6pFP5YWu4592w7VLqYuVv3oDeZLNJhLNrhG8o1aaI=

=0ZdP

—–END PGP SIGNATURE—–