CVE-2025-63420 identifies a stored HTML injection vulnerability in CrushFTP version 11 prior to 11.3.7_57. The flaw exists in the Admin Panel, specifically within the Reports feature under the 'Who Created Folder' section. An attacker with at least limited privileges (PR:L) can inject malicious HTML content that is persistently stored and executed in the context of administrator sessions when they access the report. This persistent injection can lead to unauthorized script execution, potentially enabling actions such as session hijacking, UI manipulation, or phishing within the admin interface. The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation), indicating inadequate sanitization of user input before rendering in the web interface. The CVSS vector (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:N) shows that the attack is network exploitable with low attack complexity, requires privileges and user interaction, and impacts the integrity of the system with a scope change (S:C) due to the potential to affect other components or sessions. No known public exploits have been reported, but the vulnerability poses a risk to administrative control and trustworthiness of the CrushFTP management console. The lack of a patch link suggests that organizations should monitor vendor updates closely and apply fixes promptly once available.

For European organizations, this vulnerability could undermine the integrity of administrative operations on CrushFTP servers, potentially allowing attackers to inject malicious HTML that executes in admin sessions. This could lead to unauthorized actions such as manipulation of administrative data, session hijacking, or delivery of malicious payloads through the admin interface. While confidentiality and availability are not directly impacted, the integrity compromise could facilitate further attacks or unauthorized changes to file transfer configurations. Organizations relying on CrushFTP for critical file transfer operations, especially those handling sensitive or regulated data, may face increased risk of administrative compromise. The requirement for privileges and user interaction limits the attack surface but does not eliminate risk, particularly in environments with multiple administrators or where insider threats exist. The medium severity rating suggests a moderate but non-trivial risk that should be addressed to maintain secure operations.

1. Immediately upgrade CrushFTP to version 11.3.7_57 or later once the patch is available to remediate the vulnerability. 2. Until a patch is applied, restrict access to the CrushFTP Admin Panel to trusted administrators only and enforce strict access controls and network segmentation to limit exposure. 3. Implement multi-factor authentication (MFA) for all administrative accounts to reduce the risk of compromised credentials being exploited. 4. Regularly audit and monitor admin panel activity logs for unusual or unauthorized actions that could indicate exploitation attempts. 5. Educate administrators about the risks of interacting with untrusted input or reports and encourage cautious behavior when reviewing report data. 6. Employ web application firewalls (WAF) with custom rules to detect and block suspicious HTML or script injection attempts targeting the admin interface. 7. Conduct periodic security assessments and penetration testing focused on the admin panel to identify and remediate similar injection flaws proactively.