April 25, 2024 at 12:50PM
“Over 1,400 vulnerable CrushFTP servers exposed online are currently targeted by attacks exploiting a critical SSTI vulnerability (CVE-2024-4040), allowing unauthenticated attackers to gain remote code execution. The severity of the flaw was confirmed by Rapid7, with 1,401 unpatched instances discovered. Active exploitation of the zero-day was reported, prompting urgent patching advice from CrowdStrike and CISA.”
From the meeting notes, it appears that there is a critical vulnerability (CVE-2024-4040) affecting over 1,400 CrushFTP servers, leading to possible remote code execution by unauthenticated attackers. This vulnerability has been actively exploited in targeted attacks, with evidence of politically motivated intelligence-gathering campaigns in multiple U.S. organizations. The security flaw is fully unauthenticated and trivially exploitable, allowing for arbitrary file read as root, authentication bypass for administrator account access, and full remote code execution. It is advised for CrushFTP users to update immediately to block attackers’ attempts and to regularly check the vendor’s website for the latest instructions and prioritize patching to protect against ongoing exploitation attempts. Additionally, CISA has ordered U.S. federal agencies to secure their vulnerable servers within a week. Furthermore, it’s mentioned that in November, CrushFTP customers were also warned to patch a critical RCE vulnerability (CVE-2023-43177).