Critical Vulnerability in Over 1,400 CrushFTP Servers Actively Exploited

April 25, 2024

Over 1,400 CrushFTP servers that are accessible online have been identified as being susceptible to a critical server-side template injection (SSTI) vulnerability, which is currently under active exploitation. Previously exploited as a zero-day, this vulnerability, designated as CVE-2024-4040, is described by CrushFTP as a VFS sandbox escape in its managed file transfer software that allows for arbitrary file reading. However, unauthenticated attackers can exploit it to execute remote code on unpatched systems.

The company issued an urgent warning to its customers last Friday to 'update immediately' to prevent attackers from escaping the user's virtual file system (VFS) and accessing system files. Rapid7, a cybersecurity firm, confirmed the severity of this security flaw on Tuesday, stating it was 'fully unauthenticated and trivially exploitable.' 'Successful exploitation allows for not only arbitrary file read as root, but also authentication bypass for administrator account access and full remote code execution,' Rapid7 further elaborated.

Researchers from the Shadowserver threat monitoring platform have found 1,401 exposed CrushFTP servers that have not been patched, with the majority located in the United States (725), followed by Germany (115), and Canada (108). Shodan, an internet search engine, currently tracks 5,232 CrushFTP servers exposed online, although it does not provide information on how many of these might be susceptible to attacks.

Cybersecurity firm CrowdStrike published an intelligence report last Friday, following CrushFTP's disclosure of the actively exploited zero-day and the release of patches. The report revealed that multiple U.S. organizations' CrushFTP servers were being targeted by attackers in what appeared to be a politically motivated intelligence-gathering campaign. Based on findings by Falcon OverWatch and Falcon Intelligence teams at CrowdStrike, the CrushFTP zero-day was being exploited in targeted attacks.

CrushFTP users are urged to regularly visit the vendor's website for the most recent instructions and to prioritize patching to guard against ongoing exploitation attempts. The Cybersecurity and Infrastructure Security Agency (CISA) also added CVE-2024-4040 to its Known Exploited Vulnerabilities catalog on Wednesday, directing U.S. federal agencies to secure their vulnerable servers by May 1st. Back in November, CrushFTP customers were also advised to patch a critical RCE vulnerability (CVE-2023-43177) following the publication of a proof-of-concept exploit by Converge security researchers who discovered and reported the flaw.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.