Potential Exploitation of CrushFTP RCE Vulnerability (CVE-2025-54309)

Rule Info

Name
Potential Exploitation of CrushFTP RCE Vulnerability (CVE-2025-54309)
Author
Nisarg Suthar
Description
Detects suspicious child processes created by CrushFTP. It could be an indication of exploitation of a RCE vulnerability such as CVE-2025-54309.
Reference
https://reliaquest.com/blog/threat-spotlight-cve-2025-54309-crushftp-exploit/
Date
2025-08-01 00:00:00
Modified
None
Id
0fdc7c7f-c690-4217-9ae3-31f5156eed72
Tags
attack.initial-access attack.execution attack.t1059.001 attack.t1059.003 attack.t1068 attack.t1190 cve.2025-54309 detection.emerging-threats
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=0fdc7c7f-c690-4217-9ae3-31f5156eed72

Rule History

Author
Title
Date
Commit
Nisarg Suthar
Merge PR #5576 from @nisargsuthar - CrushFTP RCE vulnerability CVE-2025-54309
2025-09-22
042b8dfd0
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022