CVE-2025-54309 CrushFTP CVE debrief

Who should care

CrushFTP administrators, security operations teams, vulnerability management teams, and incident responders responsible for internet-facing or internally reachable CrushFTP deployments.

Technical summary

The available source data identifies the issue as a CrushFTP "Unprotected Alternate Channel Vulnerability" and records it in CISA’s Known Exploited Vulnerabilities catalog. The KEV inclusion indicates confirmed exploitation risk significant enough to warrant immediate mitigation planning. The supplied corpus does not include additional technical details beyond the vulnerability name and KEV status.

Defensive priority

High. KEV listing indicates active exploitation risk and makes this a time-sensitive remediation item.

Recommended defensive actions

• Apply mitigations according to vendor instructions as soon as possible.
• If the product is available as a cloud service in your environment, follow applicable CISA BOD 22-01 guidance.
• If mitigations are not available or cannot be applied promptly, discontinue use of the product until a safe path is available.
• Confirm whether any CrushFTP instances are deployed, exposed, or reachable in your environment.
• Prioritize verification and remediation before the KEV due date of 2025-08-12.
• Monitor the official CVE and NVD records for any status updates or additional vendor guidance.

Evidence notes

CISA’s KEV entry names the vulnerability as "CrushFTP Unprotected Alternate Channel Vulnerability," lists vendor/product as CrushFTP/CrushFTP, and sets dateAdded to 2025-07-22 with dueDate 2025-08-12. The KEV metadata explicitly instructs defenders to apply vendor mitigations, follow applicable BOD 22-01 guidance for cloud services, or discontinue use if mitigations are unavailable. The supplied corpus also points to the official CVE record and NVD detail page.

Official resources