Urgent Call to Update: Exploited Zero-Day Vulnerability in CrushFTP Cloud Targets US Organizations

April 24, 2024

A serious security flaw has been identified in the CrushFTP server, a cloud-based file transfer system used by multiple organizations. This vulnerability, designated as CVE-2024-4040, allows unauthenticated attackers to escape a virtual file system sandbox, download system files, and potentially achieve remote code execution (RCE). The vulnerability has already been exploited as a zero-day in targeted attacks against US organizations.

CrushFTP, along with various security researchers, have raised concerns about this flaw. The vulnerability is an improper input validation bug found in the CrushFTP file transfer server version 11.1. The company released a patch for the flaw on April 19 with version 11.1.0 of the product. However, there have been reports of threat actors exploiting this flaw. These attacks are believed to be politically motivated and targeted for intelligence gathering. The entities targeted were various US organizations, as reported by Crowdstrike's threat hunters Falcon OverWatch and Falcon Intelligence.

The situation is still evolving. Tenable's research published on April 23 identified more than 7,100 CrushFTP servers that are publicly accessible, but it is unclear how many of these systems are potentially vulnerable. Given that a proof-of-concept (PoC) exploit for the flaw is now publicly available, attacks are likely to continue on unpatched servers.

The vulnerability allows an attacker with low privileges to escape the server's virtual file system (VFS) sandbox to access and download system files. However, Rapid7 researchers believe there is more to the flaw than has been reported. They believe the vulnerability can be more accurately categorized as a server-side template injection (SSTI). CVE-2024-4040 is a fully unauthenticated flaw and is easy to exploit. Successful exploitation allows not only for arbitrary file read as root, but also authentication bypass for administrator account access and full remote code execution (RCE).

The best way for organizations with CrushFTP present in their environment to mitigate the situation is to update their systems to the patched version of the product immediately. Customers using a front-end demilitarized zone (DMZ) server to process protocols and connections in front of their main CrushFTP instance are afforded partial protection from exploit due to the protocol translation system used in the DMZ. However, a DMZ does not fully protect you, and you must update immediately.

One of the factors complicating an organization's detection of exploitation of CVE-2024-4040 is that payloads can be delivered in many different forms. When certain evasive techniques are leveraged, payloads will be redacted from logs and request history, and malicious requests will be difficult to discern from legitimate traffic. For this reason, Rapid7 recommends that CrushFTP customers harden their servers against administrator-level RCE attacks by enabling Limited Server mode with the most restrictive configuration possible and use firewalls wherever possible to aggressively restrict which IP addresses are permitted to access CrushFTP services.

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.