CVE-2025-63420 is a stored cross-site scripting (XSS) vulnerability identified in the CrushFTP 11.3.7_50 Admin Panel, specifically within the Reports feature labeled 'Who Created Folder'. This vulnerability allows authenticated attackers who have permissions to create folders to inject malicious HTML or JavaScript code that is stored and later executed when the report is viewed. Stored XSS vulnerabilities are particularly dangerous because the malicious payload persists on the server and can affect multiple users who access the vulnerable interface. In this case, the attacker must be authenticated and possess folder creation rights, which limits the attack surface to users with elevated privileges or specific roles. Once exploited, the attacker could execute arbitrary scripts in the context of the admin panel, potentially leading to session hijacking, theft of administrative credentials, or execution of further malicious actions within the application. The vulnerability does not currently have a CVSS score, no patches have been published, and there are no known exploits in the wild. The lack of a patch means organizations must rely on compensating controls until an update is released. The vulnerability highlights the importance of input validation and output encoding in web applications, especially in administrative interfaces. CrushFTP is a file transfer server used by organizations for secure file sharing and management, making the security of its admin panel critical. Attackers exploiting this vulnerability could gain a foothold in the administrative environment, potentially impacting the confidentiality and integrity of sensitive data managed through CrushFTP.

For European organizations, this vulnerability poses a significant risk to the confidentiality and integrity of administrative operations within CrushFTP environments. Since the vulnerability requires authenticated access with folder creation permissions, the threat is primarily to organizations with multiple administrators or users granted elevated privileges. Exploitation could lead to session hijacking or credential theft, enabling attackers to escalate privileges or move laterally within the network. This could compromise sensitive file transfer operations, disrupt business processes, and potentially expose confidential data. Organizations in sectors such as finance, healthcare, government, and critical infrastructure, which often rely on secure file transfer solutions like CrushFTP, could face operational disruptions and regulatory compliance issues if exploited. The absence of a patch increases the window of exposure, making timely mitigation critical. Additionally, stored XSS can facilitate persistent attacks affecting multiple users, amplifying the potential damage in collaborative environments. The impact on availability is limited but could occur indirectly if attackers leverage the vulnerability to deploy further attacks or disrupt services.

To mitigate this vulnerability, organizations should immediately review and restrict folder creation permissions within the CrushFTP admin panel to only trusted and necessary users. Implement strict role-based access controls (RBAC) to minimize the number of users with elevated privileges. Monitor admin panel logs and user activities for unusual behavior indicative of exploitation attempts. Employ web application firewalls (WAFs) with rules designed to detect and block XSS payloads targeting the admin interface. Conduct regular security assessments and code reviews focusing on input validation and output encoding in the CrushFTP environment. Until an official patch is released, consider isolating the CrushFTP admin panel behind VPNs or IP whitelisting to limit access. Educate administrators about the risks of XSS and the importance of cautious interaction with folder creation features. Once a patch becomes available, prioritize its deployment. Additionally, implement multi-factor authentication (MFA) for admin access to reduce the risk of credential compromise.