CrushFTP Hit by Critical 0-Day RCE Vulnerability – Full Technical Details and PoC Published

Security researchers have disclosed a critical zero-day vulnerability in CrushFTP, a popular file transfer server solution, that allows attackers to execute arbitrary commands on affected systems without authentication.

The vulnerability, tracked as CVE-2025-54309, has been assigned a maximum CVSS score of 9.8 and poses an immediate threat to organizations running vulnerable CrushFTP installations.

Authentication Bypass Leads to Complete System Compromise

The vulnerability stems from a fundamental security failure in CrushFTP’s DMZ proxy implementation.

In typical deployments, this proxy serves as a protective barrier between the public internet and internal admin servers.

However, the flaw allows attackers to bypass authentication entirely by sending specially crafted HTTP POST requests to the /WebInterface/function/ endpoint.

“The server mistakenly processes unauthenticated requests, granting attackers direct command execution capabilities on the underlying operating system,” security researchers explained in their disclosure.

This represents one of the most severe types of vulnerabilities possible, as it ...