A recently uncovered significant security vulnerability in CrushFTP is presently being exploited in the wild. Designated with the CVE identifier CVE-2025-54309, the flaw has a CVSS score of 9.0.
“CrushFTP versions 10 prior to 10.8.5 and 11 before 11.3.4_23, when the DMZ proxy function is inactive, improperly processes AS2 validation, thereby permitting remote adversaries to gain administrative access through HTTPS,” as stated by