PoC Exploit Unveiled for CrushFTP 0-Day Vulnerability (CVE-2025-54309)

A weaponised proof-of-concept exploit has been publicly released, targeting CVE-2025-54309, a critical authentication bypass vulnerability affecting CrushFTP file transfer servers. This flaw allows remote attackers to gain administrative privileges through a race condition in AS2 validation processing, effectively circumventing authentication mechanisms. The vulnerability first emerged in the wild in July 2025 and impacts CrushFTP versions 10 prior to 10.8.5 and 11 before 11.3.4_23, particularly when the DMZ proxy feature is disabled. This configuration is prevalent among deployed instances in enterprise environments. The vendor’s postmortem, published on July 18, 2025, acknowledged the active targeting of CrushFTP instances but attributed the issue to users not applying a silent patch that was never publicly announced.

The exploit takes advantage of a race condition in the WebInterface/function/ endpoint, where two sequential HTTP POST requests compete to set session state. By sending Request 1 with the AS2-TO: crushadmin header, followed immediately by Request 2, which omits the header but reuses the same session cookies, attackers can impersonate the built-in crushadmin user. This allows them to invoke setUserItem and create a new administrative account. Standalone requests return a 404 error, but when executed concurrently, Request 2 can return a 200 OK response, confirming the creation of an administrative user. Security teams are advised to upgrade to CrushFTP 10.8.5 or 11.3.4_23, enable the DMZ proxy feature, and monitor for unusual spikes in POST requests to mitigate this vulnerability effectively. 

Categories: Vulnerability Exploitation, Security Mitigation, Software Update Recommendations 

Tags: CVE-2025-54309, CrushFTP, Authentication Bypass, Race Condition, PoC Exploit, DMZ Proxy, Remote Code Execution, HTTPS POST Requests, Administrative Privileges, Security Mitigation