This vulnerability achieves its critical CVSS 9.8 rating due to three key factors: no authentication requirements, remote accessibility from anywhere on the internet, and complete system compromise through RCE capabilities. The exploit tool supports multiple attack vectors, including direct XML-RPC command execution, command injection through login forms, and malicious file uploads. Security researchers have already released proof-of-concept exploit code, significantly raising the urgency for organizations running CrushFTP to implement immediate protective measures. The primary exploitation method leverages the XML-RPC (XML Remote Procedure Call) protocol to execute arbitrary system commands. The flaw, tracked as CVE-2025-54309 and scoring a critical 9.8 on the CVSS scale, stems from a fundamental breakdown in security checks within CrushFTP’s DMZ proxy configuration. Attackers can send malicious XML payloads containing the system.exec function call to execute operating system commands directly. Exploits use malicious XML payloads to bypass authentication and execute system commands. However, this security mechanism completely fails when processing specially crafted HTTP POST requests, allowing attackers to bypass authentication entirely. Advanced attack modes include reconnaissance scanning with –recon flags and alternative payload types like cmd_inject for command injection attacks. According to pwn.guide advisory, the core vulnerability lies in CrushFTP’s failure to properly authenticate requests to the /WebInterface/function/ admin endpoint. In normal operations, the DMZ proxy should act as a secure gateway protecting internal admin servers from public internet access. CVE-2025-54309 allows unauthenticated remote code execution on CrushFTP servers.
This Cyber News was published on cybersecuritynews.com. Publication date: Thu, 31 Jul 2025 09:15:26 +0000