CISA Known Exploited Vulnerability

This vulnerability is actively exploited in the wild and listed in the CISA Known Exploited Vulnerabilities catalog.

Remediation Deadline: Aug 12, 2025

CVE-2025-54309

High

EPSS 74.0%CISA KEV

Description

CrushFTP contains an unprotected alternate channel vulnerability. When the DMZ proxy feature is not used, mishandles AS2 validation and consequently allows remote attackers to obtain admin access via HTTPS.

EPSS — Exploit Probability

74.0%

Higher than 98.8% of all CVEs

Required Action

https://www.crushftp.com/crush11wiki/Wiki.jsp?page=CompromiseJuly2025 ; https://nvd.nist.gov/vuln/detail/CVE-2025-54309

Related Articles (1)

Vulnerabilities

Bruteforce Scans for CrushFTP , (Tue, Mar 3rd)

CrushFTP is a Java-based open source file transfer system. It is offered for multiple operating systems. If you run a CrushFTP instance, you may remember that the software has had some serious vulnerabilities: CVE-2024-4040 (the template-injection flaw that let unauthenticated attackers escape th...

Mar 3, 2026

Risk Assessment

HIGH

In CISA KEV

High EPSS

Details

Severity: High
EPSS: 74.0%
CISA KEV: Yes
Ransomware: Unknown
Articles: 1

Timeline

Published

Jul 22, 2025

Added to KEV

Jul 22, 2025

Remediation Due

Aug 12, 2025

Affected Product

CrushFTP

View all CrushFTP CVEs

External Links

NVD (NIST)CVE Details MITRE CVE