CrushFTP Addresses Critical 0-Day Vulnerability: Urgent Call to Update Now

Developers of CrushFTP have notified customers in an email about a actively exploited zero-day vulnerability that has been fixed in the new versions of the program. They are urging everyone to urgently install the patches on their servers.

As the company explains in a public security bulletin, this vulnerability allowed unauthorized attackers to break out of the virtual file system (VFS) and access system files. It is emphasized that those using DMZ before their main CrushFTP instance should be protected from attacks.

The vulnerability has not yet been assigned a CVE identifier and it has been fixed in CrushFTP versions 10.7.1 and 11.1.0.

“Please take immediate action to apply the fix as soon as possible. Today (April 19, 2024) the notification of this vulnerability was received, and we immediately addressed it. This vulnerability is already being exploited in attacks,” the company warns in the email. “The issue lies in the fact that any unauthenticated or authenticated user through the web interface can access system files that are not part of their VFS. This may lead to escalation.”

The company also alerted customers still running CrushFTP 9 on their servers to immediately upgrade to version 11.

According to Shodan, at least 2700 instances of CrushFTP have exposed web interfaces vulnerable to attacks, although it is not possible to determine which of them already have the patches installed.

Cybersecurity company CrowdStrike independently confirmed the existence of the vulnerability in their analytical report, providing additional information on the issue and attacks on CrushFTP.

Experts claim that the 0-day in CrushFTP is already being used in targeted attacks. For instance, attackers have already targeted CrushFTP servers in a number of undisclosed American organizations, and evidence suggests that this is an espionage campaign that likely has a political motive.

0 / 5

Your page rank:


Subscribe: YouTube page opens in new windowLinkedin page opens in new windowTelegram page opens in new window

Leave a Reply

Your email address will not be published. Required fields are marked *

Post comment