CVE-2024-4040: Unauthenticated arbitrary file read and remote code execution in CrushFTP
First published: Mon Apr 22 2024(Updated: )
A server side template injection vulnerability in CrushFTP in all versions before 10.7.1 and 11.1.0 on all platforms allows unauthenticated remote attackers to read files from the filesystem outside of the VFS Sandbox, bypass authentication to gain administrative access, and perform remote code execution on the server.
Credit: 430a6cef-dc26-47e3-9fa8-52fb7f19644e 430a6cef-dc26-47e3-9fa8-52fb7f19644e
| Affected Software | Affected Version | How to fix |
|---|---|---|
| CrushFTP | ||
| CrushFTP | >=10.0.0<10.7.1 | |
| CrushFTP | >=11.0.0<11.1.0 |
Remedy
Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Remedy
https://www.reddit.com/r/cybersecurity/comments/1c850i2/all_versions_of_crush_ftp_are_vulnerable/
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.bleepingcomputer.com/news/security/crushftp-warns-users-to-patch-exploited-zero-day-immediately/
- https://www.bleepingcomputer.com/news/security/over-1-400-crushftp-servers-vulnerable-to-actively-exploited-bug/
- https://www.crushftp.com/crush11wiki/Wiki.jsp?page=Update&version=34;
- https://nvd.nist.gov/vuln/detail/CVE-2024-4040
- https://github.com/airbus-cert/CVE-2024-4040
- https://www.crushftp.com/crush10wiki/Wiki.jsp?page=Update
- https://www.crushftp.com/crush11wiki/Wiki.jsp?page=Update
- https://www.rapid7.com/blog/post/2024/04/23/etr-unauthenticated-crushftp-zero-day-enables-complete-server-compromise/
- https://www.reddit.com/r/crowdstrike/comments/1c88788/situational_awareness_20240419_crushftp_virtual/
- https://www.reddit.com/r/cybersecurity/comments/1c850i2/all_versions_of_crush_ftp_are_vulnerable/
- https://www.theregister.com/2025/02/10/infosec_in_brief/
Frequently Asked Questions
What is the severity of CVE-2024-4040?
CVE-2024-4040 is a high severity vulnerability that allows unauthenticated remote attackers to read files and gain administrative access.
How do I fix CVE-2024-4040?
To fix CVE-2024-4040, upgrade your CrushFTP version to at least 10.7.1 or 11.1.0.
What software versions are affected by CVE-2024-4040?
CVE-2024-4040 affects all versions of CrushFTP prior to 10.7.1 and 11.1.0 on all platforms.
Can CVE-2024-4040 allow remote code execution?
No, CVE-2024-4040 primarily allows unauthorized file access and administrative access, but does not facilitate remote code execution.
Is CVE-2024-4040 actively being exploited?
Yes, CVE-2024-4040 is currently being exploited in the wild and requires immediate attention.
- agent/type
- agent/first-publish-date
- collector/bleeping-computer
- source/BleepingComputer
- alias/CVE-2024-4040
- alias/CVE-2023-43177
- agent/weakness
- agent/description
- collector/epss-latest
- source/FIRST
- agent/epss
- agent/author
- agent/title
- agent/softwarecombine
- agent/trending
- agent/source
- agent/severity
- agent/remedy
- agent/news-ai
- zeroday/true
- exploited/true
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- collector/the-register
- source/The Register
- alias/CVE-2024-21413
- agent/references
- agent/tags
- agent/event
- collector/cisa-known-exploited
- source/CISA
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- collector/nvd-cve
- source/NVD
- collector/nvd-api
- vendor/crushftp
- canonical/crushftp
- version/crushftp/10.0.0
- version/crushftp/11.0.0