Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1020 CNY

100%
Buy Us a Coffee

CVE-2025-54309 PoC — CrushFTP 安全漏洞

Source
https://github.com/whisperer1290/CVE-2025-54309__Enhanced_exploit
Associated Vulnerability
Title:CrushFTP 安全漏洞 (CVE-2025-54309)
Description:CrushFTP 10 before 10.8.5 and 11 before 11.3.4_23, when the DMZ proxy feature is not used, mishandles AS2 validation and consequently allows remote attackers to obtain admin access via HTTPS, as exploited in the wild in July 2025.
Readme
# CVE-2025-54309__Enhanced_exploit

This is a enhanced version of the exploit POC originally created by **watchtowrlabs** : https://github.com/watchtowrlabs/watchTowr-vs-CrushFTP-Authentication-Bypass-CVE-2025-54309  (massive shoutout to them!!)

This exploit is meant for research and education purposes and the mentioned vulnerability has already been patched by CrushFTP.

This version the exploit can add an administrative user to the CrushFTP instance along with verifying the existing users as well.


Key Features:

- Race Condition Implementation: Uses high-concurrency threading to exploit the timing window
- XML Payload Generation: Creates proper user creation payloads with admin privileges
- Session Management: Handles CrushAuth and currentAuth cookies
- Verification: Optional login verification to confirm user creation
- HTB Optimized: Designed specifically for penetration testing labs

The script implements the exact attack pattern discovered by Watchtowr's honeypot network and should work against vulnerable CrushFTP instances (versions 10 before 10.8.5 and 11 before 11.3.4_23) in authorized environment.
Important: This script is designed exclusively for authorized penetration testing in controlled environments like HackTheBox labs or authorized instances. The race condition requires multiple threaded attempts to succeed, so you may need to run it several times or adjust the thread count based on your target's responsiveness.

```
# Basic usage
python3 exploit.py https://your-crushftp-target:8443

# Custom username/password
python3 exploit.py https://your-crushftp-target:8443 -u myhtbuser -p MyPassword123

# With verification
python3 exploit.py https://your-crushftp-target:8443 --verify

# Adjust threading for better success rate
python3 exploit.py https://your-crushftp-target:8443 -t 100 -i 200
```


<img width="740" height="690" alt="image" src="https://github.com/user-attachments/assets/fa8d3c76-c26d-4d83-a64f-69f118d6e0ac" />
File Snapshot

 [4.0K]  /data/pocs/0e2f3315870097dd106ba91360781de3150f5172
├── [ 13K]  exploit.py
└── [1.9K]  README.md

0 directories, 2 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →