Critical Zero-Day in CrushFTP Actively Exploited

Introduction

On July 18, 2025, CrushFTP, a leading provider of managed file transfer (MFT) software, disclosed a critical zero-day vulnerability, CVE-2025-54309. This vulnerability exposes a glaring weakness in the AS2 validation mechanism of its web management interface. With a CVSS score of 9.8, the flaw enables remote, unauthenticated attackers to gain complete administrative control over affected CrushFTP servers.

This post offers a detailed, technical walkthrough of the vulnerability, its exploitation, real-world impact, and recommended defensive measures. Drawing from vendor advisories, Shodan scans, and independent research, this analysis provides a full-spectrum view necessary for security teams to act decisively.

CrushFTP and Its Role in Managed File Transfer

CrushFTP is a widely used file transfer platform that supports multiple protocols, including HTTP(S), FTP, and AS2. Organizations utilize it for secure and reliable data exchange, often within complex supply chains or between business partners.

• Why CrushFTP? It combines ease of deployment with flexible protocol support, making it popular in enterprise environments.
• AS2 Protocol Support: AS2 is essential for Electronic Data Interchange (EDI), a widely used technology in industries such as retail, logistics, and manufacturing.
• Attack Surface: The web management interface offers rich functionality but also creates a significant attack surface if not properly secured.

Vulnerability Breakdown: Understanding CVE-2025-54309

Description

CVE-2025-54309 arises from improper AS2 validation within the CrushFTP web interface when the DMZ proxy feature is disabled. This flaw allows attackers to send crafted HTTPS requests that bypass authentication and gain administrative privileges.

Attackers are likely to have reverse-engineered recent code changes, exploiting a previously patched but overlooked bug in the AS2 message processing logic.

The critical vulnerability CVE-2025-54309 in CrushFTP centers on a flaw in how the software processes AS2 protocol messages within its web management interface, particularly when the DMZ proxy feature is disabled. To fully appreciate the severity of this issue, it is essential to understand both the protocol involved and the nature of the validation failure.

AS2 Protocol and Its Importance

AS2 (Applicability Statement 2) is a widely adopted standard for secure and reliable electronic data interchange (EDI) over HTTP and HTTPS. It ensures message integrity, confidentiality, and non-repudiation by leveraging digital signatures, encryption, and delivery receipts. Many enterprises rely on AS2 for critical business communications, placing a premium on robust and accurate protocol handling.

The core issue with the improper AS2 validation

CVE-2025-54309 stems from improper validation of incoming AS2 messages. Typically, these messages undergo rigorous checks to verify headers, MIME boundaries, digital signatures, and certificate trust. However, when the DMZ proxy feature in CrushFTP is disabled, this protective layer is bypassed, forcing the server to rely on its internal AS2 validation logic.

Due to a flaw in this internal processing, the server incorrectly accepts crafted AS2 requests without enforcing necessary authentication and integrity checks. This creates an unprotected alternate channel allowing remote attackers to gain unauthorized administrative access simply by sending specially crafted HTTPS requests.

Why This Flaw Is Particularly Dangerous

This vulnerability is not a typical authentication bypass. Instead, it exposes a deep protocol parsing weakness at the intersection of cryptographic verification and session management. Attackers exploiting this flaw gain full administrative privileges without prior authentication, which is an exceptionally rare and highly impactful vulnerability.

Moreover, the attack leverages HTTPS, blending seamlessly with legitimate encrypted traffic. As a result, traditional security controls such as network-based intrusion detection and simple application logs may fail to flag this malicious activity.

The Critical Role of the DMZ Proxy

The DMZ proxy feature serves as a gatekeeper for AS2 messages, validating their authenticity and integrity before forwarding them to the internal server. When enabled, it effectively mitigates this vulnerability by enforcing strict protocol compliance and blocking malformed or malicious messages.

Disabling the DMZ proxy removes this safeguard, leaving the backend server exposed to unfiltered AS2 traffic. The flaw in the internal validation logic then becomes exploitable, providing a direct pathway for attackers to exploit.

Exploitable Attack Surface

The flaw exposes several critical attack vectors, including:

• Remote, unauthenticated access to administrative functions.
• Exploitation through standard HTTPS channels makes detection difficult.
• Bypassing of session and CSRF protections within the web management interface.
• Creation of persistent, stealthy accounts through manipulation of user identifiers.

Attack Mechanics: How the Exploit Works

Exploitation Steps in a nutshell

Crafting Malicious AS2 Messages: Attackers generate AS2 messages with manipulated headers and payloads to bypass authentication.

Bypassing Authentication: These crafted requests exploit the alternate channel flaw to establish a remote, authenticated administrative session.

Gaining Full Admin Control:  Once authenticated, attackers can create or modify user accounts, upload or download files, and manipulate server configurations.

Maintaining Persistence: Attackers may create long, random user IDs (e.g., 7a0d26089ac528941bf8cb998d97f408m) for stealth persistence.

Indicators of Compromise

• Unauthorized updates to the internal default user account, specifically “last_logins” field changes inside MainUsers/default/user.XML.
• File modification timestamps for the default user.XML is inconsistent with regular maintenance.
• Appearance of unusual user accounts with random alphanumeric IDs.

Challenges in Detection

• AS2 traffic complexity masks malicious payloads.
• Many environments lack dedicated AS2 traffic inspection.
• An attack typically leaves minimal network-level forensic traces, aside from application logs.

Impact, What’s at Stake?

Business Risk

• Data Loss: Exfiltration of sensitive or regulated information.
• Operational Downtime: Service interruption due to malicious tampering or recovery efforts.
• Compliance Violations: Exposure of Personally Identifiable Information (PII) or Intellectual Property (IP).
• Reputational Damage: Breach of trust with customers and partners.

Technical Risk

• Complete server control facilitates pivoting into internal networks.
• Attackers can implant ransomware or backdoors.
• Potential disruption of critical EDI communications.

Global Exposure 

Shodan Exposure Data

• Over 300,000 publicly accessible CrushFTP web interfaces globally.
• Largest concentrations in the United States (~46,000), India (~20,000), Australia (~19,000), Japan (~18,000), and the UK (~11,000).

Exploitation in the Wild

• Confirmed active exploitation since July 18, 2025.
• Approximately 1,040 unpatched, internet-facing servers remain vulnerable, primarily located in North America and Europe.
• Attackers adapted quickly following prior AS2 fixes, indicating the presence of targeted and persistent threat actors.

ShadowServer scanning for unpatched CrushFTP instances vulnerable to CVE-2025-54309. 

Mitigation Strategies

Patching

• Patch Immediately Upgrade to CrushFTP 10.8.5_12 or 11.3.4_23 (or later). This fully fixes the AS2 validation flaw.
• Restrict Admin Access Use IP allow-lists, VPNs, or Zero Trust to limit access to the admin interface. Never expose it directly to the internet.
• Verify Integrity Check file hashes, especially MainUsers/default/user.XML. Look for unauthorized changes or newly created admin accounts.
• Disable or Isolate AS2 if you don’t use AS2, disable it. Otherwise, route AS2 traffic through a DMZ proxy.
• Audit for Indicators of Compromise (IoCs)  Look for:

• New random user IDs
• Modified default user configs
• Admin UI appearing for regular users