How ZeroPath Works
Back to Blog

CrushFTP CVE-2025-54309: Critical AS2 Validation Flaw Enables Admin Takeover via HTTPS

A critical flaw in CrushFTP's AS2 validation (CVE-2025-54309) allows remote attackers to gain admin access via HTTPS when the DMZ proxy is not enabled. This post provides a deep technical breakdown, affected versions, patch guidance, and vendor security context.
CVE Analysis

8 min read

ZeroPath Security Research

ZeroPath Security Research

2025-07-18

CrushFTP CVE-2025-54309: Critical AS2 Validation Flaw Enables Admin Takeover via HTTPS

CrushFTP CVE-2025-54309: Critical AS2 Validation Flaw Enables Admin Takeover via HTTPS

Introduction

In July 2025, attackers were observed exploiting a critical flaw in CrushFTP—a popular enterprise file transfer solution—allowing them to gain administrative access over HTTPS. This vulnerability, tracked as CVE-2025-54309, affects organizations using CrushFTP for secure B2B data exchange, particularly those relying on the AS2 protocol. The impact is severe: remote, unauthenticated attackers can take full control of vulnerable servers, exfiltrate sensitive data, and move laterally within enterprise networks.

About CrushFTP: CrushFTP is a cross-platform managed file transfer (MFT) server supporting FTP, SFTP, HTTP/S, WebDAV, and AS2. It is widely deployed in finance, healthcare, and logistics sectors, with thousands of enterprise installations globally. Its flexibility and protocol support make it a backbone for secure data workflows, but also a high-value target for attackers.

Technical Information

Vulnerability Mechanism

CVE-2025-54309 is triggered when the DMZ proxy feature is not enabled in CrushFTP. The vulnerability lies in the improper validation of AS2 (Applicability Statement 2) messages—a protocol used for secure, signed data exchange over HTTPS.

Key technical details:

  • Improper AS2 Validation: The vulnerable code path fails to enforce cryptographic checks on AS2 Message Integrity Check (MIC) values and does not sufficiently validate or sanitize multipart message content.
  • Attack Vector: Attackers can craft malicious AS2 messages with manipulated headers (such as AS2-To) and payloads, bypassing authentication and integrity controls.
  • Admin API Exposure: By exploiting these flaws, attackers can interact with CrushFTP's admin API endpoints (e.g., /WebInterface/function/) and escalate privileges to full administrative access.

Vulnerable Code Pattern (Illustrative)

// Example: Flawed AS2 MIC validation logic
public boolean validateMIC(AS2Message message) {
  String receivedMIC = message.getMIC(); 
  // No comparison to computedMIC
  return true; // Vulnerable: always returns true
}

Exploitation Flow

  1. Craft AS2 Message: Attacker creates a multipart AS2 message with forged MIC and spoofed headers.
  2. Send via HTTPS: The message is delivered to the CrushFTP server over HTTPS.
  3. Bypass Validation: Due to insufficient checks, the server accepts the message and processes it as if from a trusted partner.
  4. Admin Access: The attacker leverages admin API endpoints to create or access privileged accounts.

Note: The vulnerability is only present when the DMZ proxy feature is not used. Enabling DMZ mitigates the attack vector by isolating AS2 processing.

Patch Information

CrushFTP has addressed CVE-2025-54309 in the following versions:

  • 10.8.5 and later
  • 11.3.4_23 and later

Patch steps:

  • Download the latest version from the official CrushFTP site.
  • Follow the upgrade instructions to ensure all components are updated.
  • Confirm that the DMZ proxy feature is enabled if patching cannot be performed immediately.

Official advisory:

Affected Systems and Versions

Vulnerable products and configurations:

  • CrushFTP 10: All versions before 10.8.5
  • CrushFTP 11: All versions before 11.3.4_23
  • Configuration: Only vulnerable when the DMZ proxy feature is not enabled

If your deployment matches the above version ranges and does not use the DMZ proxy, it is at critical risk.

Vendor Security History

CrushFTP has experienced several significant vulnerabilities in recent years, including:

  • CVE-2025-31161: Authentication bypass (patched quickly in March 2025)
  • CVE-2024-4040, CVE-2023-43177: Other protocol-related flaws

The vendor typically responds rapidly to critical vulnerabilities, releasing patches within days of disclosure. However, the recurrence of authentication and protocol validation issues suggests ongoing challenges in secure protocol implementation. Organizations should prioritize timely updates and consider additional hardening measures.

References

Source: This report was created using AI

If you have suggestions for improvement or feedback, please reach out to us at [email protected]

Detect & fix
what others miss

Get startedBook a demo