April 26, 2024 at 10:18AM
Over 1,400 vulnerable CrushFTP instances are at risk due to a critical server-side template injection bug (CVE-2024-4040). Attackers can escape the virtual file system (VFS) sandbox, gain admin privileges, and execute code. CrushFTP urges immediate upgrades, warning of exploited vulnerability with potential for data exfiltration. Difficulty in detecting exploitation adds to the severity.
From the meeting notes, the key takeaways are:
– Over 1,400 instances of the CrushFTP managed file transfer software are vulnerable to a critical zero-day (CVE-2024-4040) with a CVSS score of 9.8.
– The vulnerability allows for server-side template injection, enabling remote attackers to escape the virtual file system (VFS) sandbox, gain administrative privileges, and execute arbitrary code.
– CrushFTP has urged customers to upgrade to version 10.71 or 11.1.0 to address the bug, as versions 9, 10, and 11 are affected.
– The US cybersecurity agency CISA has added the security defect to its Known Exploited Vulnerabilities catalog, setting deadlines for federal agencies to identify and patch vulnerable hosts by May 1.
– Threat actors have been exploiting the vulnerability in a targeted fashion, particularly against entities in the United States.
– CrushFTP customers are advised to update to a patched version of the enterprise file transfer application as soon as possible due to ongoing exploitation and the severity of the vulnerability.