CrushFTP Urges Users to Immediately Patch Exploited Zero-Day Vulnerability

April 19, 2024

CrushFTP alerted its users today through a confidential memo about a zero-day vulnerability that is currently being exploited. The bug has been fixed in the latest releases, and users are advised to update their servers without delay. The company explained in a public security advisory that the vulnerability allows attackers, even unauthenticated ones, to escape the user's VFS and gain access to system files. However, servers that have a DMZ perimeter network in front of their main CrushFTP instance are not at risk.

The company sent an email to its customers stating, "Please take immediate action to patch ASAP. A vulnerability was reported today (April 19th, 2024), and we patched it immediately. [..] This vulnerability exists in the wild." The email further added, "The bottom line of this vulnerability is that any unauthenticated or authenticated user via the WebInterface could retrieve system files that are not part of their VFS. This could lead to escalation as they learn more, etc."

CrushFTP also urged its customers who are still operating on CrushFTP v9 to upgrade to v11 or update their instance through the dashboard as soon as possible. The company reassured its users that there is a simple rollback in case there are issues or regressions with some functionality. The security flaw, reported by Simon Garrelou of Airbus CERT, has been fixed in CrushFTP versions 10.7.1 and 11.1.0.

Cybersecurity firm CrowdStrike has also confirmed the vulnerability, which is yet to be assigned a CVE ID. According to Shodan, about 2,700 CrushFTP instances have their web interface exposed online to attacks, but it's unclear how many have yet to be patched. CrowdStrike's Falcon OverWatch and Falcon Intelligence teams have observed the CrushFTP zero-days being used in targeted attacks. The threat actors are aiming at CrushFTP servers at multiple U.S. organizations, and evidence suggests an intelligence-gathering campaign, likely with political motivations.

CrowdStrike stated, "Falcon OverWatch and Falcon Intelligence have observed this exploit being used in the wild in a targeted fashion. CrushFTP users should continue to follow the vendor's website for the most up-to-date instructions and prioritize patching." In November, CrushFTP customers were also advised to patch a critical remote code execution vulnerability (CVE-2023-43177) after Converge security researchers who reported the flaw also released a proof-of-concept exploit.

Latest News

• MITRE Corporation's Network Breached by State-Backed Hackers Using Ivanti Zero-Days
• Ongoing Attacks Target 22,500 Palo Alto Firewalls Vulnerable to CVE-2024-3400
• Akira Ransomware Gang Amasses $42 Million; Expands Target to Linux Servers
• MagicDot Windows Vulnerabilities Enable Stealthy Rootkit-like Activities
• Active Exploitation of OpenMetadata Vulnerabilities in Kubernetes Clusters