[CIVN-2025-0244] Authentication Bypass Vulnerability in CrushFTP
—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA256
Authentication Bypass Vulnerability in CrushFTP
Indian – Computer Emergency Response Team (https://www.cert-in.org.in)
Severity Rating: CRITICAL
Software Affected
CrushFTP version 10 prior to 10.8.5
CrushFTP version 11 prior to 11.3.4_23
Overview
A vulnerability has been reported in CrushFTP that could be exploited by a remote attacker to bypass security restrictions on the targeted system.
Target Audience:
All organizations and individuals using CrushFTP.
Risk Assessment:
High risk of information disclosure and system instability.
Impact Assessment:
Potential for data theft and system compromise.
Description
CrushFTP is a high-performance, secure file transfer solution that supports FTP, SFTP, HTTP/S, and more. It streamlines file management with advanced automation, strong encryption, and flexible scalability for enterprise-level operations.
This vulnerability exists in CrushFTP due to security failure in DMZ proxy implementation and improper AS2 validation. A remote attacker can exploit this vulnerability by sending a specially HTTP POST requests to the /WebInterface/function/ endpoint.
Successful exploitation of this vulnerability could enable a remote attacker to bypass security restrictions on the targeted system without requiring authentication.
Solution
Apply appropriate updates as provided by the vendor:
https://www.crushftp.com/crush11wiki/Wiki.jsp?page=CompromiseJuly2025
Vendor Information
CrushFTP
https://www.crushftp.com/crush11wiki/Wiki.jsp?page=CompromiseJuly2025
References
CrushFTP
https://www.crushftp.com/crush11wiki/Wiki.jsp?page=CompromiseJuly2025
GB Hackers
https://gbhackers.com/crushftp-hit-by-critical-0-day-rce-vulnerability/
CVE Name
CVE-2025-54309
– —
Thanks and Regards,
CERT-In
Incident Response Help Desk
e-mail: incident@cert-in.org.in
Phone: +91-11-22902657
Toll Free Number: 1800-11-4949
Toll Free Fax : 1800-11-6969
Web: http://www.cert-in.org.in
PGP Fingerprint: A768 083E 4475 5725 B81A A379 2156 C0C0 B620 D0B4
PGP Key information:
https://www.cert-in.org.in/s2cMainServlet?pageid=CONTACTUS
Postal address:
Indian Computer Emergency Response Team (CERT-In)
Ministry of Electronics and Information Technology
Government of India
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003
—–BEGIN PGP SIGNATURE—–
iQIzBAEBCAAdFiEE6r4Iam/Ey0c/KakL3jCgcSdcys8FAmjlFokACgkQ3jCgcSdc
ys9OzQ/+M2NdGf5hgBnbYEyWJmrW4ETghlsbVBCorzbKT1YutYvP7Md8m7UuJj8x
TqvHykljeW/dfeGLI/0yeEb3dwKfq82+ny7CvgOO0l+hXov6xMRzHZcuObTpUUhp
0WzfLFuwtRJ9q/OrdmFc9W3kunZMRFq1JjKVnxs3lKsV71rqCizBaa/35dK1ysNI
ISMHozXtO3vgxaWC97eAOk5Kl7TVZvXlMFQfusP/PHsJuXA0h/Ypx1aK8b+LGT+v
7rl2sa7Oxn5NdI4APcBbdxciy51X293JgXUYBZoLVCYT/wmQfK3SxcaVijT960jw
FVNZSFyBWFgQoyIFXDx0pk4Mo2uQ0PYn7/2kx7Bp/VpmW5iRFPK/tk57putzEBRd
H05HZGXu49RB/eCDwzcEXJzE4HFNTraeoR2LIStGEuna36lzx83fPQtKtLruMeBq
ak0hZiXtLmO3MISZrGXMTfJUL68POdSPK38BHIqoNpXPJwl3i+iwhzEckkpYOhKA
Dyv+WiNlLLCvqvgxjZZavFw+23UKBAUcKxcCFYIgKzOfDOQlv0oqV1v+8cXyQhyh
ky28upMbTLiTWINW4rph7p0WNRm0X1SOxkYlwld+HSTBdlS8nGyE5CSVZKVDaMXy
2Rs6HydogS6pFP5YWu4592w7VLqYuVv3oDeZLNJhLNrhG8o1aaI=
=0ZdP
—–END PGP SIGNATURE—–