Goal Reached Thanks to every supporter β€” we hit 100%!

Goal: 1000 CNY Β· Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2025-54309 β€” AI Deep Analysis Summary

CVSS 9.0 Β· Critical

Q1What is this vulnerability? (Essence + Consequences)

🚨 **Essence**: CrushFTP suffers from an **AS2 validation flaw** allowing **Authentication Bypass**. <br>πŸ’₯ **Consequences**: Remote attackers can bypass login checks to gain **Full Admin Access** without credentials.…
Read full answer (login)

Q2Root Cause? (CWE/Flaw)

πŸ›‘οΈ **Root Cause**: **CWE-420** (Acceptance of Extraneous Untrusted Data). <br>πŸ” **Flaw**: Logic error in `ServerSessionHTTP.java` (`loginCheckHeaderAuth`). The system fails to properly validate the `AS2-To` header.…
Read full answer (login)

Q3Who is affected? (Versions/Components)

πŸ“¦ **Affected Products**: **CrushFTP** (File Transfer Server).…
Read full answer (login)

Q4What can hackers do? (Privileges/Data)

πŸ‘‘ **Attacker Capabilities**: <br>β€’ **Privileges**: Gains **Administrator Rights** instantly. <br>β€’ **Data**: Full read/write access to all files.…
Read full answer (login)

Q5Is exploitation threshold high? (Auth/Config)

πŸ“‰ **Exploitation Threshold**: **LOW**. <br>πŸ”‘ **Auth**: **None** required (Unauthenticated). <br>βš™οΈ **Config**: Requires standard HTTPS access.…
Read full answer (login)

Q6Is there a public Exp? (PoC/Wild Exploitation)

πŸ’£ **Public Exploits**: **YES**. <br>πŸ”₯ **Wild Exploitation**: **Confirmed** (Exploited in the wild since July 2025).…
Read full answer (login)

Q7How to self-check? (Features/Scanning)

πŸ” **Self-Check Methods**: <br>1. **Scan**: Use Nuclei template `code/cves/2025/CVE-2025-54309.yaml`. <br>2. **Verify**: Send HTTP request with empty/invalid `AS2-To` header. <br>3.…
Read full answer (login)

Q8Is it fixed officially? (Patch/Mitigation)

πŸ› οΈ **Official Fix**: **YES**. <br>βœ… **Patch Versions**: <br>β€’ Upgrade to **CrushFTP 10.8.5** or later. <br>β€’ Upgrade to **CrushFTP 11.3.4_23** or later.…
Read full answer (login)

Q9What if no patch? (Workaround)

🚧 **No Patch Workaround**: <br>1. **Block Access**: Restrict HTTP/HTTPS access to trusted IPs only (WAF/ACL). <br>2. **Disable AS2**: If not used, disable AS2 features entirely. <br>3.…
Read full answer (login)

Q10Is it urgent? (Priority Suggestion)

πŸ”΄ **Priority**: **CRITICAL (Immediate Action)**. <br>⏱️ **Urgency**: **High**. <br>πŸ“‰ **Reason**: CVSS 9.8, Unauthenticated, Wild Exploitation Active. <br>πŸš€ **Action**: Patch immediately.…
Read full answer (login)

Continue exploring

Vulnerability detail Full AI analysis (login) CrushFTP CWE-420