Contents:
CrushFTP urges customers to patch servers with new versions due to discovering zero-day.
The CrushFTP zero-day vulnerability is tracked tracked CVE-2024-4040 and enables hackers to escape VFS and download system files. Its CVSS is 9.8, which is critical.
CrushFTP zero-day explained
CrushFTP is vulnerable to a server-side template injection issue that affects versions before 10.7.1 and 11.1.0.
CVE-2024-4040 allows unauthorized remote attackers to access files outside the designated VFS Sandbox, bypass authentication, and execute code on the server.
At first, the company announced that the flaw didn`t impact users operating their CrushFTP instances in a demilitarized zone (DMZ). However, on April 22, they discovered that was not true.
As of April 22, we have changed our opinion on this. A DMZ does not fully protect you.
Customers using a DMZ in front of their main CrushFTP instance are partially protected with its protocol translation system it utilizes. A DMZ however does not fully protect you and you must update immediately.
Source – CrushFTP statement
Patching Emergency
The company`s team worked to release a patch in only a few hours after security researchers notified them. At the moment, they have warned all customers about the CrushFTP zero-day vulnerability. They also insisted on them to apply patches timely.
We patched the vulnerability within a couple hours of being made aware of it, and then worked through eating and confirming the fix before issuing emails to everyone on the notification list of emergency updates.
10.7.1 patches all v10 versions and 11.1 patches all v11 versions. No one should still be running v9.
Ben Spink, CrushFTP’s founder and president – Source
For now, the web interfaces of roughly 2,700 CrushFTP instances are exposed online. Security researchers say hackers are targeting US organizations’ CrushFTP servers. Their aim is to gather data for political reasons, according to BleepingComputer.
If you liked this article, follow us on LinkedIn, Twitter, Facebook, and Youtube, for more cybersecurity news and topics.