A newly discovered zero-day vulnerability, identified as CVE-2025-54309, has been found in CrushFTP, a widely used enterprise file transfer platform. This flaw lets attackers quietly gain full administrative control through the web interface, particularly in setups not using the DMZ proxy feature. The issue stems from improper handling of AS2 validation over HTTPS, and intriguingly, attackers reverse-engineered a previous patch, uncovering this overlooked weakness. With internet-facing servers especially vulnerable, this incident serves as a reminder that even well-intentioned fixes can open new doors for exploitation. CrushFTP has released critical patches, and organizations are urged to update without delay and consider enabling the DMZ proxy to reduce future exposure.
What’s new on HivePro
Get through updates and upcoming events, and more directly in your inbox
