The flaw, designated CVE-2025-54309, represents one of the most severe security vulnerabilities discovered in enterprise file transfer solutions this year.
The vulnerability stems from a fundamental breakdown in security checks within CrushFTP’s DMZ proxy component.
Under normal circumstances, the DMZ proxy serves as a secure gateway designed to protect internal admin servers from direct internet exposure.
However, this critical flaw allows malicious actors to bypass these protections entirely by sending specially crafted HTTP POST requests to the /WebInterface/function/ endpoint without requiring any form of authentication.
The primary attack vector leverages XML-RPC (XML Remote Procedure Call), a protocol that uses XML formatting to encode function calls to remote servers.
Attackers can exploit this vulnerability by sending malicious XML payloads containing system.exec function calls with arbitrary commands as parameters.
The vulnerable server processes these unauthenticated requests and executes the embedded commands directly on the underlying operating system.
A typical malicious payload appears deceptively simple, consisting of XML-formatted methodCall elements that instruct the server to execute system commands such as id or uname -a.
The server’s failure to verify user authentication before processing these requests creates a direct pathway for remote code execution.
Security researchers have classified this vulnerability as critical for three primary reasons.
First, no authentication is required, eliminating traditional access barriers that typically protect against unauthorized intrusion.
Second, the vulnerability can be exploited remotely from anywhere on the internet, dramatically expanding the potential attack surface.
Finally, successful exploitation grants complete remote code execution capabilities, representing the highest level of system compromise possible.
This level of access enables attackers to steal sensitive data, install persistent malware, pivot to additional network resources, or weaponize compromised servers for launching attacks against other targets.
The combination of zero authentication requirements and full system control makes this vulnerability particularly dangerous for organizations relying on CrushFTP for secure file transfers.
Organizations running CrushFTP installations should immediately assess their exposure and implement available security updates.
The availability of proof-of-concept exploit code on platforms like GitHub has lowered the barrier for potential attackers, making rapid response essential.
System administrators should also consider temporarily isolating CrushFTP servers from direct internet access until patches can be applied and verified.
The discovery of CVE-2025-54309 underscores the ongoing challenges facing enterprise software security and the critical importance of maintaining robust authentication mechanisms in network-facing applications.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates
The post Critical CrushFTP 0-Day RCE Flaw -Technical Details and PoC Now Released appeared first on Cyber Security News.
Editor’s note: If you know of an event that you want to be included in…
ABILENE, Texas (KTAB/KRBC) – The number of families the housing choice voucher program is able…
ABILENE, Texas (KTAB/KRBC) - It would take more than $8 million to equip the Abilene…
TAYLOR COUNTY, Texas (KTAB/KRBC) - The Taylor County Sheriff's Office is looking for a runaway…
ABILENE, Texas (KTAB/KRBC) - Residents in Abilene are being warned about a phone scam in…
Through videos circulating among Senegalese friends in WhatsApp chats, I watched the October 21 ICE…
This website uses cookies.