CrushFTP contains an unprotected alternate channel vulnerability. When the DMZ proxy feature is not used, mishandles AS2 validation and consequently allows remote attackers to obtain admin access via HTTPS.
PoC: CrushFTP-AS2-Bypass-Research-CVE-2025-54309
Findings & july race with 0day in wild
PoC: CVE-2025-54309
Exploitation scripts for the CrushFTP CVE-2025-54309: vulnerability
PoC: CVE-2025-54309
CrushFTP AS2 Authentication Bypass
PoC: CVE-2025-54309-EXPLOIT
CrushFTP Unauthenticated Remote Command Execution Exploit
Get alerted for CVEs like this
Register your stack and get notified within minutes when a matching CVE drops.
Start monitoring free