A public proof-of-concept exploit targeting CVE-2025-54309 has been released. This critical vulnerability affects CrushFTP servers and allows remote attackers to bypass authentication by exploiting a race condition in AS2 validation. First seen in July 2025, it impacts CrushFTP versions 10 before 10.8.5 and 11 before 11.3.4_23 when the DMZ proxy is disabled, a common setup across enterprises.
Over 30,000 exposed instances are at risk. Attackers send two rapid HTTP POST requests to the WebInterface/function/ endpoint. The first includes an AS2-TO header impersonating the crushadmin user, and the second reuses session cookies without the header. This sequence wins the race condition and creates a new admin account.
WatchTowr Labs published the exploit on GitHub to help security teams test systems safely. Analysts recommend monitoring for repeated POST requests with AS2-TO headers and similar cookies. Detection rules and rate-limiting can help reduce exploit attempts.
To mitigate the threat:
- Upgrade to CrushFTP 10.8.5 or 11.3.4_23
- Enable the DMZ proxy
- Audit admin account changes and session reuse
Organizations should treat CVE-2025-54309 as a high-priority risk and respond quickly to prevent compromise.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
