Public proof-of-concepts are a starting point, not a finish line. This blog demonstrates how a public CVE can be taken further than existing proof-of-concepts by exploring additional attack paths.
The Starting Point
During 14-day Synack target testing, I noticed that the analytics section of the target contained several XSS vulnerabilities and one path traversal vulnerability. I copied vulnerable URL paths of path traversal vulnerability and searched for it online to see if anything related shows up. That quick search led me to CVE-2025-32103, which is an authenticated path traversal vulnerability in CrushFTP.
Trying Multiple CVEs
Once I confirmed the application was likely running CrushFTP, I began looking for other Older and Newer CrushFTP CVEs with public exploits since the target did not reveal its version number. So, the only option was trial and error, testing multiple CVEs to see which one works.
After trying several vulnerabilities without success, I eventually came across: CVE-2025-54309 – Authentication Bypass via Race Condition
What is CVE-2025-54309?
CVE-2025-54309 is an authentication bypass vulnerability in CrushFTP 10 (before 10.8.5) and 11 (before 11.3.4_23) caused by improper AS2 validation when the DMZ proxy feature is disabled. This flaw allows remote attackers to gain administrator access over HTTPS without prior authentication by exploiting a race condition in the request handling process. A blog post by watchTowr helped me understand the vulnerability and exploitation approach.
Trying Internet POCs
One of the public POC exploits I found demonstrated user enumeration, but username enumeration is considered low impact on Synack, so it wasn’t enough to prove an impact. I needed something that could demonstrate real exploitation potential.
I continued searching and found another POC that could create a new admin account. This looked promising. I tested the exploit and successfully created a new admin user, but the login failed. It turned out that the required functionality to log in was not available on the target crushftp instance.
At this point, I was stuck. The internet didn’t have any additional POCs beyond what I had already tried.
A Different Angle
Instead of relying entirely on existing exploits, I decided to take a different approach. While reviewing the public POCs more closely, I noticed that they interacted with specific body parameters, such as command and other supporting parameters, which were sent to the /WebInterface/function/ endpoint through POST requests.
This observation made me consider that there might be other command parameter values capable of triggering additional administrative actions.
Finding Hidden Commands Value
CrushFTP documentation did not reveal much about its internal admin command values. Since CrushFTP is not open source, reviewing the official source code was not an option. As a result, I began searching across various sources such as blogs, social media, and forums to see if anyone had mentioned any new command values.
No luck. My next step was to search developer platforms like github.
A Goldmine on GitHub
While searching GitHub, I used the keyword “CrushFTP getUserList.” (Note: getUserList is a command parameter value used to retrieve the list of users from the server.)
After browsing several repositories, I found old versions of CrushFTP source code (versions 6, 7, and 8) are publicly available. Even though these versions were old, they were still incredibly valuable because they might contain admin command parameter values.
Discovering the Admin Endpoint Handler
While exploring the code, I found a critical file responsible for handling admin functionality.
This file contains numerous admin command parameter values. Exactly what I needed.
Building a Better POC Using AI
At this stage I had:
- A public POC for the authentication bypass
- A list of admin commands from the source code
I used Anti-Gravity with the Gemini model to enhance the POC and integrate the newly discovered command parameter values. Instead of testing everything, I deliberately chose three command parameter values and supporting parameters. Gemini returned an exploit script that incorporated those commands.
Testing the New Exploit
I tested the updated exploit against the target by exploiting the race condition to bypass authentication.
Dumped Server Configuration – Server registration code and license details, live administrative and user sessions (including usernames, source IPs, and real-time file transfer paths), active protocols such as FTP and HTTP/WebDAV, and logs of failed login attempts.
Dumped Session Logs – Full server log files containing session cookies along with complete HTTP requests.
Dumped Credential – Clear text and hashed passwords for internal services, along with internal endpoints such as the MySQL backend and SMTP proxy server.
The authentication bypass was now clearly demonstrating real-world impact, as it allowed the retrieval of sensitive credentials. Other researchers can experiment with different command parameter values to identify additional ways this vulnerability could be exploited.
Conclusion
Public POCs should be treated as starting points rather than final solutions. When existing exploits don’t work, exploring alternative approaches can reveal new attack paths. Even old source code can provide valuable insight into an application’s internal logic.
Thanks for reading. Be sure to follow Synack and the Synack Red Team on LinkedIn for upcoming blogs in this Exploits Explained series.
Frequently Asked Questions
What is CVE-2025-54309?
CVE-2025-54309 is an authentication bypass vulnerability in CrushFTP caused by improper AS2 validation when the DMZ proxy feature is disabled. It allows unauthenticated remote attackers to gain administrator-level access over HTTPS by exploiting a race condition in the request handling process.
Which versions of CrushFTP are affected?
CrushFTP 10 versions before 10.8.5 and CrushFTP 11 versions before 11.3.4_23 are affected. Organizations should upgrade to a patched version immediately.
Why weren’t the existing public POCs sufficient?
The most widely available public POCs demonstrated user enumeration, which carries low impact in most security programs. A second POC could create new admin accounts but failed at login due to target-specific limitations. Neither demonstrated the sensitive data exposure that this research ultimately uncovered.
How did this researcher go beyond the public POC?
By analyzing how existing POCs interacted with CrushFTP’s API endpoints, identifying that other undocumented command parameter values likely existed, and locating legacy CrushFTP source code on GitHub that contained a list of admin command handlers. Those commands were then integrated into an AI-enhanced exploit script.
What real-world impact does this vulnerability carry?
Successful exploitation can expose server credentials (including clear text and hashed passwords), active session data with user IPs and file transfer paths, internal infrastructure endpoints like MySQL and SMTP, and full server log files containing session cookies.
About the Author
IronRoot is a member of the Synack Red Team with deep expertise in web application penetration testing, red team operations, and security research. He works as a security engineer and is an HTB Certified Penetration Testing Specialist (CPTS) with an HTB Web Penetration Testing Certification (CWES) alongside credentials in GCP, Azure, AWS, and ISC2 CC. His research spans SAST, DAST, network penetration testing, and active directory security, with a growing focus on applying generative AI to enhance exploit development.
