A newly disclosed critical security flaw in CrushFTP has come under active exploitation in the wild. Assigned the CVE identifier CVE-2025-54309, the vulnerability carries a CVSS score of 9.0. "CrushFTP 10 before 10.8.5 and 11 before 11.3.4_23, when the DMZ proxy feature is not used, mishandles AS2 validation and consequently allows remote attackers to obtain admin access via HTTPS," according to
![]()
source https://thehackernews.com/2025/07/hackers-exploit-critical-crushftp-flaw.html
source https://thehackernews.com/2025/07/hackers-exploit-critical-crushftp-flaw.html