On July 18, 2025, CrushFTP disclosed that a zero-day vulnerability—now tracked as CVE-2025-54309—had been exploited in the wild, likely for some time. Threat actors reverse engineered the code, identified a previously fixed bug (likely present in builds prior to early July), and exploited it in unpatched systems to gain remote access via HTTP(S). The bug stems from the mishandling of AS2 validation. According to CrushFTP, environments using the DMZ proxy instance are not vulnerable to the exploit.
Threat actors are likely to continue targeting CVE-2025-54309, as file transfer solutions such as CrushFTP have been frequent targets in the past. For example, earlier this year, another CrushFTP vulnerability (CVE-2025-31161) was widely exploited.
Recommendations For CVE-2025-54309
Upgrade to Latest Fixed Version
Arctic Wolf strongly recommends that customers upgrade to the latest fixed version.
| Product | Affected Version | Fixed Version |
| CrushFTP 10 | Versions before 10.8.5 | 10.8.5 |
| CrushFTP 11 | Versions before 11.3.4_23 | 11.3.4_23 |
Please follow your organization’s patching and testing guidelines to minimize potential operational impact.
Workaround (Optional)
For users unable to immediately patch CrushFTP, the vulnerability cannot be exploited if the demilitarized zone (DMZ) proxy instance of CrushFTP is in place, according to CrushFTP.
References
Resources
Understand the threat landscape, and how to better defend your organization, with the 2025 Arctic Wolf Threat Report.
See how Arctic Wolf utilizes threat intelligence to harden your attack surface and stop threats earlier and faster.
