CrushFTP vulnerability exploited in the wild to execute remote code

A critical vulnerability, CVE-2024-4040, has been actively exploited in the wild in CrushFTP. This flaw permits attackers to execute unauthenticated remote code on vulnerable servers.

Versions of CrushFTP prior to 10.7.1 and 11.1.0 are impacted by this severe security issue, allowing attackers to bypass the Virtual File System (VFS) sandbox, attain administrative privileges, and potentially access sensitive files or execute arbitrary code remotely.

All about CrushFTP vulnerability

CVE-2024-4040 was initially disclosed by CrushFTP on April 19, 2024, via a private mailing list and later received a high severity score of 9.8.

Broadcom reports indicate that the vulnerability enables low-privileged remote attackers to evade the VFS sandbox and execute actions exceeding their designated limits without authentication.

Originally perceived as a minor vulnerability permitting only file access, this flaw has since unveiled its alarming potential, capable of orchestrating complete server compromise.More than 7,100 CrushFTP servers have been pinpointed as publicly accessible and potentially susceptible, emphasizing the extensive risk associated with this vulnerability.

Mitigation

Following its discovery, CrushFTP swiftly issued patches for the impacted versions—10.7.1 for the 10.x series and 11.1.0 for the 11.x series.

Security experts strongly urge all users to promptly update their software to these patched versions to reduce the risk.

Earlier suggestions regarding the use of a demilitarized zone (DMZ) have been rescinded due to concerns that they may not offer comprehensive protection against this exploit.

Apart from promptly applying the essential patches, organizations are advised to enforce rigorous security protocols. This involves setting up network rules to restrict CrushFTP application access to trusted clients and deploying advanced detection systems to promptly identify and respond to any suspicious activities.

Organizations utilizing CrushFTP must swiftly take action to patch their systems, thereby fortifying defenses against potential breaches that could result in significant data loss or compromise.