VIR Vulnerability Intelligence Relay

CVE-2025-54309

unknown KEV
Published 2025-07-22 · Modified 2025-07-22
CVSS v3
CVSS v2
VIR risk
1.5

Description

CrushFTP contains an unprotected alternate channel vulnerability. When the DMZ proxy feature is not used, mishandles AS2 validation and consequently allows remote attackers to obtain admin access via HTTPS.

CISA KEV

Vendor
CrushFTP
Product
CrushFTP
Due date
2025-08-12

Predictions

Exploit likelihood
99%
Patch ETA

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: cisa-kev — https://www.crushftp.com/crush11wiki/Wiki.jsp?page=CompromiseJuly2025 ; https://nvd.nist.gov/vuln/detail/CVE-2025-54309

Exploits

References

Verify integrity in audit chain (admin only). AS-IS.