Over 1,400 CrushFTP Instances Vulnerable to Exploited Zero-Day

April 26, 2024 at 10:18AM Over 1,400 vulnerable CrushFTP instances are at risk due to a critical server-side template injection bug (CVE-2024-4040). Attackers can escape the virtual file system (VFS) sandbox, gain admin privileges, and execute code. CrushFTP urges immediate upgrades, warning of exploited vulnerability with potential for data exfiltration. Difficulty in detecting exploitation adds … Read more

Over 1,400 CrushFTP servers vulnerable to actively exploited bug

April 25, 2024 at 12:50PM “Over 1,400 vulnerable CrushFTP servers exposed online are currently targeted by attacks exploiting a critical SSTI vulnerability (CVE-2024-4040), allowing unauthenticated attackers to gain remote code execution. The severity of the flaw was confirmed by Rapid7, with 1,401 unpatched instances discovered. Active exploitation of the zero-day was reported, prompting urgent patching … Read more

Patch Now: CrushFTP Zero-Day Cloud Exploit Targets US Orgs

April 24, 2024 at 09:33AM Security researchers and CrushFTP warn of a critical sandbox escape flaw (CVE-2024-4040) in version 11.1 of the multiprotocol, multiplatform, cloud-based file transfer server. The vulnerability has been actively exploited and potentially politically motivated, leading to intelligence gathering attacks on US organizations. Publicly available exploit code raises high risks, urging immediate … Read more

CrushFTP Patches Exploited Zero-Day Vulnerability

April 22, 2024 at 09:33AM CrushFTP issued patches for a zero-day vulnerability affecting versions 9, 10, and 11. The flaw could allow an unauthenticated attacker to access system files. DMZ server users are protected. Version 10.71 and 11.1.0 have patches. Customers on version 9 should upgrade. The vulnerability has been exploited in the wild, and … Read more

Critical Update: CrushFTP Zero-Day Flaw Exploited in Targeted Attacks

April 20, 2024 at 01:57AM Users of CrushFTP are urged to update to version 11.1 following the discovery of a security flaw that has been exploited. Customers in a DMZ restricted environment are protected. The vulnerability, discovered by Simon Garrelou, allows users to download system files. CrowdStrike observed targeted exploits in the wild, mainly on … Read more

CrushFTP warns users to patch exploited zero-day “immediately”

April 19, 2024 at 06:36PM CrushFTP issued a private memo warning about an actively exploited zero-day vulnerability. It enables attackers to escape the user’s file system and download system files. While servers using a DMZ perimeter network are protected, customers are urged to patch immediately. The vulnerability, reported on April 19th, affects CrushFTP versions 9 … Read more

Exploit for CrushFTP RCE chain released, patch now

November 18, 2023 at 10:32PM A proof-of-concept exploit for a critical remote code execution vulnerability in CrushFTP has been publicly released. Attackers can access files, execute code, and obtain passwords. The developers released a fix in CrushFTP 10.5.2, but applying the patches may not protect against all threats. Users should update to the latest version, … Read more