article featured image


CrushFTP urges customers to patch servers with new versions due to discovering zero-day.

The CrushFTP zero-day vulnerability is tracked tracked CVE-2024-4040 and enables hackers to escape VFS and download system files. Its CVSS is 9.8, which is critical.

CrushFTP zero-day explained

CrushFTP is vulnerable to a server-side template injection issue that affects versions before 10.7.1 and 11.1.0.

CVE-2024-4040 allows unauthorized remote attackers to access files outside the designated VFS Sandbox, bypass authentication, and execute code on the server.

At first, the company announced that the flaw didn`t impact users operating their CrushFTP instances in a demilitarized zone (DMZ). However, on April 22, they discovered that was not true.

As of April 22, we have changed our opinion on this. A DMZ does not fully protect you.

Customers using a DMZ in front of their main CrushFTP instance are partially protected with its protocol translation system it utilizes. A DMZ however does not fully protect you and you must update immediately.

Source – CrushFTP statement

Patching Emergency

The company`s team worked to release a patch in only a few hours after security researchers notified them. At the moment, they have warned all customers about the CrushFTP zero-day vulnerability. They also insisted on them to apply patches timely.

We patched the vulnerability within a couple hours of being made aware of it, and then worked through eating and confirming the fix before issuing emails to everyone on the notification list of emergency updates.

10.7.1 patches all v10 versions and 11.1 patches all v11 versions. No one should still be running v9.

Ben Spink, CrushFTP’s founder and president – Source

For now, the web interfaces of roughly 2,700 CrushFTP instances are exposed online. Security researchers say hackers are targeting US organizations’ CrushFTP servers. Their aim is to gather data for political reasons, according to BleepingComputer.

If you liked this article, follow us on LinkedIn, Twitter, Facebook, and Youtube, for more cybersecurity news and topics.

Author Profile

Livia Gyongyoși

Communications and PR Officer

Livia Gyongyoși is a Communications and PR Officer within Heimdal®, passionate about cybersecurity. Always interested in being up to date with the latest news regarding this domain, Livia's goal is to keep others informed about best practices and solutions that help avoid cyberattacks.

Leave a Reply

Your email address will not be published. Required fields are marked *