CVE-2024-4040: CrushFTP VFS Sandbox Escape Vulnerability
First published: Mon Apr 22 2024(Updated: )
A server side template injection vulnerability in CrushFTP in all versions before 10.7.1 and 11.1.0 on all platforms allows unauthenticated remote attackers to read files from the filesystem outside of the VFS Sandbox, bypass authentication to gain administrative access, and perform remote code execution on the server.
Credit: 430a6cef-dc26-47e3-9fa8-52fb7f19644e
| Affected Software | Affected Version | How to fix |
|---|---|---|
| CrushFTP CrushFTP | ||
| CrushFTP CrushFTP | >=10.0.0<10.7.1 | |
| CrushFTP CrushFTP | >=11.0.0<11.1.0 |
Remedy
Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Remedy
https://www.reddit.com/r/cybersecurity/comments/1c850i2/all_versions_of_crush_ftp_are_vulnerable/
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.bleepingcomputer.com/news/security/crushftp-warns-users-to-patch-exploited-zero-day-immediately/
- https://www.crushftp.com/crush11wiki/Wiki.jsp?page=Update&version=34
- https://www.bleepingcomputer.com/news/security/over-1-400-crushftp-servers-vulnerable-to-actively-exploited-bug/
- https://github.com/airbus-cert/CVE-2024-4040
- https://www.crushftp.com/crush10wiki/Wiki.jsp?page=Update
- https://www.crushftp.com/crush11wiki/Wiki.jsp?page=Update
- https://www.rapid7.com/blog/post/2024/04/23/etr-unauthenticated-crushftp-zero-day-enables-complete-server-compromise/
- https://www.reddit.com/r/crowdstrike/comments/1c88788/situational_awareness_20240419_crushftp_virtual/
- https://www.reddit.com/r/cybersecurity/comments/1c850i2/all_versions_of_crush_ftp_are_vulnerable/
- https://www.theregister.com/2024/05/13/infosec_in_brief/
- agent/type
- agent/first-publish-date
- agent/author
- collector/bleeping-computer
- source/BleepingComputer
- alias/CVE-2024-4040
- alias/CVE-2023-43177
- exploited/true
- collector/cisa-known-exploited
- source/CISA
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- collector/nvd-api
- source/NVD
- agent/last-modified-date
- agent/remedy
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/title
- agent/weakness
- agent/severity
- agent/description
- agent/references
- agent/tags
- agent/epss
- collector/epss-latest
- source/FIRST
- agent/event
- collector/the-register
- source/The Register
- alias/CVE-2024-4671
- vendor/crushftp
- canonical/crushftp crushftp
- version/crushftp crushftp/10.0.0
- version/crushftp crushftp/11.0.0