CrushFTP软件发现零日漏洞CVE-2025-54309,允许攻击者获取管理员权限。该漏洞于7月18日被发现并被积极利用。攻击者可能通过逆向工程发现此漏洞,并已野外利用两次。CrushFTP已发布修复版本10.8.5和11.3.4_23以解决此问题。 2025-7-19 00:46:57 Author: www.tenable.com(查看原文) 阅读量:41 收藏
A critical zero-day flaw in CrushFTP that can grant attackers administrator access was discovered on July 18 and is under active exploitation.
Background
On July 18, CrushFTP published an update to its CrushWiki detailing the discovery and exploitation of a zero-day in its CrushFTP software:
| CVE | Description | CVSSv3 |
|---|---|---|
| CVE-2025-54309 | CrushFTP Unprotected Alternate Channel Vulnerability | 9.0 |
Tenable’s Research Special Operations (RSO) team is monitoring for any further developments surrounding CVE-2025-54309. We have classified it as a Vulnerability of Interest (VOI).
Analysis
CVE-2025-54309 is an unprotected alternate channel vulnerability in CrushFTP. The vulnerability exists because of a mishandling of validation in Applicability Statement 2 (AS2), a protocol for transporting critical data. A remote, unauthenticated attacker could exploit this vulnerability to obtain administrative access through CrushFTP.
Zero-day exploitation detected on July 18, 2025
According to CrushFTP, CVE-2025-54309 was first discovered as being exploited as a zero-day by unknown threat actors on July 18 at 9AM CST. However, they caution that exploitation may have “been going on for longer.”
CrushFTP says attackers reviewed recent patch to uncover zero-day
In addition to confirming exploitation of this flaw, CrushFTP says that attackers appear to have discovered it after reverse engineering its code to discover a bug that is fixed in the latest versions of its software.
Historical exploitation of CrushFTP
Since 2024, there have been two vulnerabilities exploited in the wild against CrushFTP. CVE-2024-4040, a sandbox escape flaw in CrushFTP’s virtual file system (VFS) sandbox, was exploited against multiple U.S. entities.
In May 2025, CVE-2025-31161, a critical authentication bypass vulnerability in CrushFTP, first identified as CVE-2025-2825 and subsequently rejected, was exploited in the wild after it was publicly disclosed.
Proof of concept
At the time this blog post was published, there was no proof-of-concept (PoC) for CVE-2025-54309.
Solution
The following are the affected and fixed versions of CrushFTP:
| Affected Versions | Fixed Versions |
|---|---|
| 10.8.4 and below | 10.8.5 |
| 11.3.4_22 and below | 11.3.4_23 |
Additionally, CrushFTP included some indicators of compromise (IOCs) and mitigation techniques in its Crush11Wiki update on July 18.
As a reminder, CrushFTP will stop supporting CrushFTP v10 in March 2026.
Identifying affected systems
A list of Tenable plugins for this vulnerability can be found on the individual CVE page for CVE-2025-54309 as they’re released. This link will display all available plugins for this vulnerability, including upcoming plugins in our Plugins Pipeline.
Get more information
Join Tenable's Research Special Operations (RSO) Team on the Tenable Community.
Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.
Satnam Narang
Senior Staff Research Engineer, Security Response
Satnam joined Tenable in 2018. He has over 15 years experience in the industry (M86 Security and Symantec). He contributed to the Anti-Phishing Working Group, helped develop a Social Networking Guide for the National Cyber Security Alliance, uncovered a huge spam botnet on Twitter and was the first to report on spam bots on Tinder. He's appeared on NBC Nightly News, Entertainment Tonight, Bloomberg West, and the Why Oh Why podcast.
Interests outside of work: Satnam writes poetry and makes hip-hop music. He enjoys live music, spending time with his three nieces, football and basketball, Bollywood movies and music and Grogu (Baby Yoda).
- Exposure Management
- Vulnerability Management
Cybersecurity news you can use
Enter your email and never miss timely alerts and security guidance from the experts at Tenable.
如有侵权请联系:admin#unsafe.sh