CVE-2025-54309: CrushFTP Zero-Day Vulnerability Exploited In The Wild
A critical zero-day flaw in CrushFTP that can grant attackers administrator access was discovered on July 18 and is under active exploitation.
Background
On July 18, CrushFTP published an update to its CrushWiki detailing the discovery and exploitation of a zero-day in its CrushFTP software:
| CVE | Description | CVSSv3 |
|---|---|---|
| CVE-2025-54309 | CrushFTP Unprotected Alternate Channel Vulnerability | 9.0 |
Tenable’s Research Special Operations (RSO) team is monitoring for any further developments surrounding CVE-2025-54309. We have classified it as a Vulnerability of Interest (VOI).
Analysis
CVE-2025-54309 is an unprotected alternate channel vulnerability in CrushFTP. The vulnerability exists because of a mishandling of validation in Applicability Statement 2 (AS2), a protocol for transporting critical data. A remote, unauthenticated attacker could exploit this vulnerability to obtain administrative access through CrushFTP.
Zero-day exploitation detected on July 18, 2025
According to CrushFTP, CVE-2025-54309 was first discovered as being exploited as a zero-day by unknown threat actors on July 18 at 9AM CST. However, they caution that exploitation may have “been going on for longer.”
CrushFTP says attackers reviewed recent patch to uncover zero-day
In addition to confirming exploitation of this flaw, CrushFTP says that attackers appear to have discovered it after reverse engineering its code to discover a bug that is fixed in the latest versions of its software.
Historical exploitation of CrushFTP
Since 2024, there have been two vulnerabilities exploited in the wild against CrushFTP. CVE-2024-4040, a sandbox escape flaw in CrushFTP’s virtual file system (VFS) sandbox, was exploited against multiple U.S. entities.
In May 2025, CVE-2025-31161, a critical authentication bypass vulnerability in CrushFTP, first identified as CVE-2025-2825 and subsequently rejected, was exploited in the wild after it was publicly disclosed.
Proof of concept
At the time this blog post was published, there was no proof-of-concept (PoC) for CVE-2025-54309.
Solution
The following are the affected and fixed versions of CrushFTP:
| Affected Versions | Fixed Versions |
|---|---|
| 10.8.4 and below | 10.8.5 |
| 11.3.4_22 and below | 11.3.4_23 |
Additionally, CrushFTP included some indicators of compromise (IOCs) and mitigation techniques in its Crush11Wiki update on July 18.
As a reminder, CrushFTP will stop supporting CrushFTP v10 in March 2026.
Identifying affected systems
A list of Tenable plugins for this vulnerability can be found on the individual CVE page for CVE-2025-54309 as they’re released. This link will display all available plugins for this vulnerability, including upcoming plugins in our Plugins Pipeline.
Get more information
Join Tenable's Research Special Operations (RSO) Team on the Tenable Community.
Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.
Satnam Narang
Senior Staff Research Engineer, Security Response
Satnam joined Tenable in 2018. He has over 15 years experience in the industry (M86 Security and Symantec). He contributed to the Anti-Phishing Working Group, helped develop a Social Networking Guide for the National Cyber Security Alliance, uncovered a huge spam botnet on Twitter and was the first to report on spam bots on Tinder. He's appeared on NBC Nightly News, Entertainment Tonight, Bloomberg West, and the Why Oh Why podcast.
Interests outside of work: Satnam writes poetry and makes hip-hop music. He enjoys live music, spending time with his three nieces, football and basketball, Bollywood movies and music and Grogu (Baby Yoda).
Related articles
Oracle July 2025 Critical Patch Update Addresses 165 CVEs
Oracle addresses 165 CVEs in its third quarterly update of 2025 with 309 patches, including nine critical updates....
Understanding and Managing Cyber Risk: An Exposure Management FAQ for Business Leaders
Each Monday, the Tenable Exposure Management Academy provides the practical, real-world guidance you need to shift from vulnerability management to exposure management. In this post, we answer some questions we’ve gotten recently the best way to determine, understand and communicate your risks....
How Tenable Research Discovered a Critical Remote Code Execution Vulnerability on Anthropic MCP Inspector
Tenable Research recently discovered a critical vulnerability impacting Anthropic's MCP Inspector tool, a core element of the MCP ecosystem. In this blog, we provide details on how we discovered the vulnerability in this widely used open-source tool — and what users can do about it.....
- Exposure Management
- Vulnerability Management
- Exposure Management
- Vulnerability Management