CrushFTP Zero-Day Flaw Exposes Servers to Full Takeover

A critical CrushFTP Zero-Day Flaw has exposed servers to unauthenticated remote code execution, security researchers warned this week. Tracked as CVE-2025-54309 and scoring 9.8 on the CVSS scale, the vulnerability stems from improper request handling by CrushFTP’s DMZ proxy, which fails to enforce authentication on sensitive admin endpoints.

Attackers can exploit this flaw by sending crafted XML-RPC payloads to the /WebInterface/function/ path, triggering system commands without credentials. The CrushFTP Zero-Day Flaw enables full system compromise using simple POST requests, making it highly accessible to threat actors.

Researchers released proof-of-concept exploit code on GitHub, which automates attacks using Python scripts. These tools support command injection, file uploads, and reconnaissance scans. Organizations should block access to vulnerable endpoints, apply vendor patches, and monitor for suspicious XML-RPC traffic.

Given the public availability of exploit tools and the severity of the vulnerability, security teams must act quickly to defend exposed infrastructure.

Critical CrushFTP 0-Day RCE Vulnerability Technical Details and PoC Released