Potential Exploitation of CrushFTP RCE Vulnerability (CVE-2025-54309)

 1title: Potential Exploitation of CrushFTP RCE Vulnerability (CVE-2025-54309)
 2id: 0fdc7c7f-c690-4217-9ae3-31f5156eed72
 3status: experimental
 4description: Detects suspicious child processes created by CrushFTP. It could be an indication of exploitation of a RCE vulnerability such as CVE-2025-54309.
 5references:
 6    - https://reliaquest.com/blog/threat-spotlight-cve-2025-54309-crushftp-exploit/
 7    - https://pwn.guide/free/web/crushftp
 8    - https://firecompass.com/crushftp-vulnerability-cve-2025-54309-securing-file-transfer-services/
 9author: Nisarg Suthar
10date: 2025-08-01
11tags:
12    - attack.initial-access
13    - attack.execution
14    - attack.t1059.001
15    - attack.t1059.003
16    - attack.t1068
17    - attack.t1190
18    - cve.2025-54309
19    - detection.emerging-threats
20logsource:
21    category: process_creation
22    product: windows
23detection:
24    selection_parent:
25        ParentImage|endswith: '\crushftp.exe'
26    selection_child_powershell:
27        Image|endswith:
28            - '\powershell.exe'
29            - '\powershell_ise.exe'
30            - '\pwsh.exe'
31        CommandLine|contains|all:
32            - 'IEX'
33            - 'enc'
34            - 'Hidden'
35            - 'bypass'
36    selection_child_cmd:
37        Image|endswith: '\cmd.exe'
38        CommandLine|contains:
39            - '/c powershell'
40            - 'whoami'
41            - 'net.exe'
42            - 'net1.exe'
43    selection_child_others:
44        Image|endswith:
45            - '\bitsadmin.exe'
46            - '\certutil.exe'
47            - '\mshta.exe'
48            - '\cscript.exe'
49            - '\wscript.exe'
50    condition: selection_parent and 1 of selection_child_*
51falsepositives:
52    - Legitimate administrative command execution
53level: high

References

• First Look at CVE-2025-54309: Dissecting the Latest CrushFTP Exploit

  

  ReliaQuest observed an attempted exploitation of CVE-2025-54309—a zero-day vulnerability in CrushFTP’s file transfer software.

  
  Read More

• CrushFTP RCE Explained

  

  What the new critical CrushFTP vulnerability is & how to exploit it.

  
  Read More

• CrushFTP Vulnerability (CVE-2025-54309): Securing File Transfer Services

  

  CrushFTP servers are under threat from CVE-2025-54309. Learn how this vulnerability works and how to protect your file transfer services.

  
  Read More

Related rules

• Suspicious CrushFTP Child Process
• Exploited CVE-2020-10189 Zoho ManageEngine
• Potential APT FIN7 Exploitation Activity
• Potential Exploitation of CVE-2025-4427/4428 Ivanti EPMM Pre-Auth RCE
• CVE-2023-22518 Exploitation Attempt - Suspicious Confluence Child Process (Linux)