A critical zero-day vulnerability has been identified in CrushFTP, a widely used file transfer server, allowing unauthenticated attackers to execute arbitrary code remotely on affected systems. This flaw, designated as CVE-2025-54309 with a CVSS score of 9.8, arises from inadequate authentication checks within CrushFTP’s DMZ proxy configuration. Security researchers have released proof-of-concept (PoC) exploit code, heightening the urgency for organizations to address this issue promptly.
Technical Details of the Vulnerability
The vulnerability stems from CrushFTP’s improper handling of requests to the `/WebInterface/function/` admin endpoint. Under normal circumstances, the DMZ proxy serves as a protective barrier, preventing unauthorized access to internal administrative servers. However, this security measure fails when processing specially crafted HTTP POST requests, enabling attackers to bypass authentication mechanisms entirely.
Exploitation involves the use of the XML-RPC (XML Remote Procedure Call) protocol to execute arbitrary system commands. Attackers can send malicious XML payloads containing the `system.exec` function call, allowing direct execution of operating system commands. A typical attack payload might appear as follows:
“`xml
“`
This vulnerability is particularly severe due to its combination of unauthenticated access, remote exploitability, and the potential for complete system compromise through remote code execution.
Proof-of-Concept Exploitation
Security researchers have published a comprehensive PoC script on GitHub, facilitating multiple attack vectors, including direct XML-RPC command execution, command injection via login forms, and malicious file uploads.
The basic exploitation command structure is as follows:
“`bash
python3 exploit.py 192.168.1.100 -c “uname -a”
“`
In this command, the script generates XML-RPC payloads and delivers them to the vulnerable `/WebInterface/function/` endpoint. Advanced attack modes include reconnaissance scanning with `–recon` flags and alternative payload types like `cmd_inject` for command injection attacks.
Mitigation Measures
Organizations utilizing CrushFTP should take immediate action to mitigate this vulnerability:
1. Apply Patches: CrushFTP has released patches addressing this vulnerability. Administrators should update to the latest version without delay.
2. Restrict Network Access: Implement network-level restrictions to prevent unauthorized access to administrative endpoints.
3. Monitor Traffic: Continuously monitor for suspicious XML-RPC requests targeting the `/WebInterface/function/` path.
Given the availability of public PoC code and the critical nature of this vulnerability, it is imperative for organizations to act swiftly to secure their systems against potential exploitation.
