First Look at CVE-2025-54309: Dissecting the Latest CrushFTP Exploit

ReliaQuest analyzed active exploitation of a zero-day in CrushFTP (CVE-2025-54309) where attackers abused weak AS2 validation—an unprotected alternative communication channel—to bypass primary authentication, gain administrative access, enumerate directories, and attempt to overwrite the default user to create a persistent backdoor; IP allowlists and policy restrictions prevented full compromise and CrushFTP has released a patch and IOCs.