Vulnerability Database

296,147

Total vulnerabilities in the database

CVE-2025-54309

CrushFTP 10 before 10.8.5 and 11 before 11.3.4_23, when the DMZ proxy feature is not used, mishandles AS2 validation and consequently allows remote attackers to obtain admin access via HTTPS, as exploited in the wild in July 2025.

  • Published: Jul 18, 2025
  • Updated: Jul 24, 2025
  • CVE: CVE-2025-54309
  • Severity: Critical
  • Exploit:

CVSS v3:

  • Severity: Critical
  • Score: 9.8
  • AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWEs:

Software From Fixed in
crushftp / crushftp 10.0.0 10.8.5
crushftp / crushftp 11.0.0 11.3.4_23