CVE-2025-54309 PoC — CrushFTP 安全漏洞

Source

https://github.com/chin-tech/CrushFTP_CVE-2025-54309

Associated Vulnerability

Title:CrushFTP 安全漏洞 (CVE-2025-54309)
Description:CrushFTP 10 before 10.8.5 and 11 before 11.3.4_23, when the DMZ proxy feature is not used, mishandles AS2 validation and consequently allows remote attackers to obtain admin access via HTTPS, as exploited in the wild in July 2025.

Readme

# CVE-2025-54309 - CrushFTP

## Affected Versions
- < 10.8.5
- < 11.3.4_34


Race condition PoC by watchtower, adjusted to be more extensible.

```
python crushedftp.py
usage: crushedftp.py [-h] [-u USERNAME] [-p PASSWORD] [-r REQUESTS] [-P PAYLOAD] target

CrushFTP CVE-2025-54309 XML Race Condition Exploit

positional arguments:
  target                Target CrushFTP URL (e.g. http://ftp.myserver.poo)

options:
  -h, --help            show this help message and exit
  -u, --username USERNAME
                        username for user_create payload: (default: meow)
  -p, --password PASSWORD
                        password for user_create payload (default: meow!)
  -r, --requests REQUESTS
                        Number of request pairs (default: 5000)
  -P, --payload PAYLOAD
                        payload type
```

```
[*] Target: http://ftp.test.com
[*] New admin user: test:test
[*] PROGRESS: 50/5000 request pairs completed...
[+] Payload success!
Payload Success!
```

File Snapshot


 [4.0K]  /data/pocs/014402457481353aa6b321b2ec87b102ecd35f3f
├── [5.2K]  crushedftp.py
└── [ 988]  README.md

0 directories, 2 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.

View subscription plans →

Goal Reached Thanks to every supporter — we hit 100%!