A significant zero-day vulnerability in CrushFTP has been disclosed, allowing unauthenticated attackers to achieve complete remote code execution on vulnerable servers.\u00a0<\/p>\n
The flaw, tracked as CVE-2025-54309<\/a> and scoring a critical 9.8 on the CVSS scale, stems from a fundamental breakdown in security checks within CrushFTP\u2019s DMZ proxy configuration.\u00a0<\/p>\n Security researchers have already released proof-of-concept exploit code, significantly raising the urgency for organizations running CrushFTP to implement immediate protective measures.<\/p>\n According to pwn.guide advisory<\/a>, the core vulnerability lies in CrushFTP\u2019s failure to properly authenticate requests to the \/WebInterface\/function\/ admin endpoint.\u00a0<\/p>\n In normal operations, the DMZ proxy should act as a secure gateway protecting internal admin servers from public internet access.<\/p>\n However, this security mechanism completely fails when processing specially crafted HTTP POST requests, allowing attackers to bypass authentication entirely.<\/p>\n The primary exploitation method leverages the XML-RPC (XML Remote Procedure Call) protocol to execute arbitrary system commands.\u00a0<\/p>\n Attackers can send malicious XML payloads containing the system.exec function call to execute operating system commands directly. A typical attack payload appears as:<\/p>\n This vulnerability achieves its critical CVSS 9.8 rating due to three key factors: no authentication<\/a> requirements, remote accessibility from anywhere on the internet, and complete system compromise through RCE capabilities.<\/p>\n Security researchers have published a comprehensive PoC script on GitHub. The exploit tool supports multiple attack vectors, including direct XML-RPC command execution, command injection through login forms, and malicious file uploads.<\/p>\n The basic exploitation command structure follows: python3 exploit.py 192.168.1.100 -c \u201cuname -a\u201d, where the script generates XML-RPC payloads and delivers them to the vulnerable \/WebInterface\/function\/ endpoint.\u00a0<\/p>\n Advanced attack modes include reconnaissance scanning with \u2013recon flags and alternative payload types like cmd_inject for command injection attacks.<\/p>\n Organizations running CrushFTP should immediately implement network-level restrictions to block unauthorized access to admin endpoints, apply any available vendor patches, and monitor for suspicious XML-RPC requests targeting the \/WebInterface\/function\/ path.\u00a0<\/p>\n The combination of public PoC availability and the vulnerability\u2019s severe impact makes this a prime target for widespread exploitation campaigns.<\/p>\n The post Critical CrushFTP 0-Day RCE Vulnerability Technical Details and PoC Released<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\nKey Takeaways<\/mark><\/strong>
1. CVE-2025-54309 allows unauthenticated remote code execution on CrushFTP servers.
2. Exploits use malicious XML payloads to bypass authentication and execute system commands.
3. Public exploit code available - immediate patching required.<\/pre>\nTechnical Details of the Vulnerability<\/strong><\/h2>\n
![\"\"](\"https:\/\/lh7-rt.googleusercontent.com\/docsz\/AD_4nXfidOQ3BTVmV955OjagkPUBgXTg7RQIao-qdn-XCbvWahy041abmT1k0EcsHNFGe6sw-_rwUUntog3F6NX6wEZMduJJT2PTeCUQ-Tega6IsvCd1fbWyqA04fIcssGN9tAQnSrMCwQ?key=KOtt4HOYrR0qrZpMIpwKLQ\")
\n\n
\n Risk Factors<\/strong><\/td>\n Details<\/strong><\/td>\n<\/tr>\n \n Affected Products<\/td>\n CrushFTP servers with DMZ proxy configuration<\/td>\n<\/tr>\n \n Impact<\/td>\n Remote Code Execution (RCE)<\/td>\n<\/tr>\n \n Exploit Prerequisites<\/td>\n \u2013 No authentication required- Network access to \/WebInterface\/function\/ endpoint- HTTP POST capability- XML-RPC payload crafting<\/td>\n<\/tr>\n \n CVSS 3.1 Score<\/td>\n 9.8 (Critical)<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n Proof-of-Concept Exploitation\u00a0<\/strong><\/h2>\n
![\"\"](\"https:\/\/lh7-rt.googleusercontent.com\/docsz\/AD_4nXf6NlV_GlSsYtFH3U_v-XV9Qr4NPTFIMfUqDUDny79n0eMq77JyDNrZtz0PIkfs0mrnhizk04fPbmCSKCr4dhDMszHYfVKrgVtwx2RHb6VzKgpRTXK2zj9yc-LZ5fI94d_FqvyM?key=KOtt4HOYrR0qrZpMIpwKLQ\")
![\"\"](\"https:\/\/lh7-rt.googleusercontent.com\/docsz\/AD_4nXc0OkNhD435y8fAhk3VtUm18AE2AA_uKc0E3VG2JH08TiEVylUmjVIJgEXyamTEa-IUWoZcEl23bVxyDsg13CKgYLYKC2O0UMOCWQFpYPFi22cT1ybVUHTHanRId5fAXqyXVwJ4YA?key=KOtt4HOYrR0qrZpMIpwKLQ\")
Integrate ANY.RUN TI Lookup<\/strong> with your SIEM or SOAR To Analyses Advanced Threats<\/strong> -> Try 50 Free Trial Searches<\/a> <\/strong><\/code><\/p>\n