CVE-2025-54309
CrushFTP Unprotected Alternate Channel Vulnerability
CVSS
—
Sin CVSS
EPSS
92.0%
p100
KEV
SÍ
22 jul 2025
Exploit Today
80
0-100
Publicado: — · Última mod.: —
Producto
CrushFTP / CrushFTP
Vulnerabilidad
CrushFTP Unprotected Alternate Channel Vulnerability
Añadido a KEV
22 jul 2025
Remediar antes de
12 ago 2025
Uso conocido en ransomware
No
Descripción resumida
CrushFTP contains an unprotected alternate channel vulnerability. When the DMZ proxy feature is not used, mishandles AS2 validation and consequently allows remote attackers to obtain admin access via HTTPS.
Acción requerida
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Notas
https://www.crushftp.com/crush11wiki/Wiki.jsp?page=CompromiseJuly2025 ; https://nvd.nist.gov/vuln/detail/CVE-2025-54309