A critical zero-day vulnerability, designated as CVE-2025-54309, has been identified in CrushFTP, a widely used file transfer server. This flaw allows remote attackers to bypass authentication mechanisms and gain administrative privileges through a race condition in AS2 validation processing. The vulnerability affects CrushFTP versions 10 prior to 10.8.5 and version 11 before 11.3.4_23, particularly when the DMZ proxy feature is disabled—a common configuration in many enterprise environments.
Technical Details of the Vulnerability
The core issue resides in the `WebInterface/function/` endpoint of CrushFTP. Attackers can exploit this by sending two sequential HTTP POST requests:
1. Request 1: Includes the header `AS2-TO: \crushadmin`.
2. Request 2: Omits the `AS2-TO` header but reuses the same session cookies.
By rapidly issuing these requests, attackers can manipulate the race condition to impersonate the built-in `crushadmin` user. This allows them to invoke the `setUserItem` function, creating a new administrative account. While standalone requests typically return a 404 error, executing them in quick succession can result in a 200 OK response, confirming the creation of an administrative user.
Risk Factors:
– Affected Products: CrushFTP 10 versions before 10.8.5; CrushFTP 11 versions before 11.3.4_23.
– Impact: Authentication bypass leading to potential remote code execution.
– Exploit Prerequisites: DMZ proxy feature disabled; ability to send sequential HTTPS POST requests; possession of valid `CrushAuth` and `currentAuth` cookies.
– CVSS 3.1 Score: 9.8 (Critical).
Proof-of-Concept Exploit
Security researchers at WatchTowr Labs have released a fully functional proof-of-concept (PoC) exploit on GitHub. This tool enables security teams to verify the vulnerability of CrushFTP instances without introducing persistent backdoors. The PoC works by extracting the user list to confirm successful exploitation.
Mitigation Strategies
Organizations using CrushFTP should take immediate action to mitigate this vulnerability:
1. Upgrade Software: Update to CrushFTP version 10.8.5 or 11.3.4_23 (or later).
2. Enable DMZ Proxy: If not already configured, activate the DMZ proxy feature to add an additional layer of security.
3. Monitor and Audit: Keep an eye out for unusual spikes in POST requests to `/WebInterface/function/` with repetitive `AS2-TO` headers and cookie patterns. Audit administrative user additions and validate session reuse patterns to detect unauthorized activities.
Given the critical nature of CVE-2025-54309 and its active exploitation in the wild, it is imperative for organizations to implement these mitigation strategies promptly to safeguard their systems.
