A critical zero-day vulnerability in CrushFTP has been disclosed, allowing attackers to achieve remote code execution without authentication.
The vulnerability, tracked as CVE-2025-54309, has received a maximum CVSS score of 9.8 and affects the software’s DMZ proxy functionality.
Security researchers have released a proof-of-concept exploit demonstrating how attackers can execute arbitrary commands on vulnerable servers through specially crafted XML-RPC requests to the /WebInterface/function/ endpoint.
The core issue lies within CrushFTP’s DMZ proxy implementation, which is designed to act as a secure gateway protecting internal admin servers from external threats.
However, the vulnerability allows attackers to completely bypass authentication mechanisms by sending malicious HTTP POST requests directly to administrative endpoints.
The server fails to validate user credentials before processing these requests, treating unauthenticated requests as legitimate administrative commands.
This breakdown in security controls means that any attacker with network access to the CrushFTP server can potentially compromise the entire system.
The vulnerability particularly affects organizations using CrushFTP’s DMZ configuration, where the proxy should theoretically prevent unauthorized access to sensitive administrative functions.
The flaw essentially renders the DMZ security model ineffective, exposing internal systems to direct attack.
CrushFTP 0-Day RCE Vulnerability
The primary attack method leverages XML-RPC (XML Remote Procedure Call) protocol to execute system commands remotely.
Attackers craft malicious XML payloads containing the system.exec method call, which instructs the server to execute arbitrary operating system commands.
A typical exploit payload includes XML structures with embedded commands such as id, uname -a, or whoami to gather system information or establish persistent access.
The exploitation process involves sending a specially formatted XML document to the vulnerable endpoint, with the command enclosed within <methodCall> and <methodName> tags.
The server processes these requests without proper authorization checks, executing the contained commands and returning results to the attacker.
Security researchers have published a comprehensive proof-of-concept exploit on GitHub, complete with reconnaissance capabilities and multiple attack vectors.
The PoC script includes functionality for version fingerprinting, endpoint scanning, and various payload delivery methods including XML-RPC calls, command injection, and file upload attacks.
Researchers have also identified alternative exploitation methods, including command injection through login forms and file upload vulnerabilities that allow attackers to write malicious files directly to the server filesystem.
Immediate Patching Requirements
The vulnerability’s CVSS 9.8 rating reflects its severe potential impact across three critical dimensions: no authentication requirements, remote exploitation capability, and complete system compromise potential.
According to Report, Organizations running CrushFTP should immediately review their installations for vulnerability and apply available patches.
Successful exploitation grants attackers full control over the targeted server, enabling data theft, malware installation, and lateral movement within compromised networks.
The tool’s availability significantly lowers the barrier for attackers to exploit vulnerable CrushFTP installations.
The combination of the vulnerability’s critical severity, ease of exploitation, and public availability of working exploits creates an urgent security risk requiring immediate remediation efforts.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
.webp?w=356&resize=356,220&ssl=1 "Microsoft Teams Blocking Users from Accessing Embedded Office Documents")
