CVE-2025-54309 CrushFTP Flaw (CVSS 9.0) Exploited via HTTPS; PoisonSeed Phishing Abuses FIDO Cross-Device Sign-In and Fallback Mechanism

Security researchers have identified active exploitation of a critical vulnerability in CrushFTP, a file transfer protocol server software, designated CVE-2025-54309 with a CVSS score of 9.0. Attackers are leveraging this flaw to gain administrative access via HTTPS without requiring a demilitarized zone (DMZ), with many systems remaining unpatched and vulnerable. The vulnerability was reverse engineered shortly after a patch was released, enabling rapid attacks in the wild. In a related development, a new phishing technique dubbed 'PoisonSeed' has been discovered that circumvents FIDO security keys, widely regarded as a secure authentication method. This attack abuses a legitimate cross-device sign-in feature by tricking users into scanning authentic QR codes, allowing adversaries to bypass FIDO key protections and gain full account access. The exploit takes advantage of a fallback authentication mechanism in FIDO keys, exposing users to adversary-in-the-middle attacks. These findings highlight ongoing challenges in cybersecurity defenses amid evolving threat techniques.