CrushFTP AS2 Validation Vulnerability Allowing Admin Access

A vulnerability in CrushFTP versions 10 prior to 10.8.5 and 11 prior to 11.3.4_23, when the DMZ proxy feature is not utilized, improperly manages AS2 validation. This flaw enables remote attackers to gain administrative access via HTTPS. The issue was actively exploited in July 2025.

Impact

Exploitation of this vulnerability allows remote attackers to obtain administrative access on the affected CrushFTP server.

Remediation

Users can restore a compromised default admin user by retrieving it from a backup made before the exploit occurred. This backup is located in the CrushFTP folder under 'users/MainUsers/default'. However, it's important to note that these zip files cannot be extracted with the native Windows unzip tool; programs like WinRAR, macOS's Archive Utility, or WinZip are required. Alternatively, the default user can be deleted, prompting CrushFTP to recreate it, although this method will not preserve any customizations.