Critical flaws reported in CrushFTP file transfer software
Take action: If you are using CrushFTP in your infrastructure, time to plan a patch, and some remediations. The flaws have some prerequisites, but they are quite serious. Don't delay.
Learn More
CrushFTP reports two critical flaws that have been patched.
- CVE-2024-53552 (CVSS score 9.8) - A password reset email vulnerability affecting V10 versions below 10.8.3 and V11 versions below 11.2.3. Allows account compromise through malicious password reset links
- CVE-2024-11986 (CVSS score 9.6) - Critical XSS vulnerability allowing unauthenticated attackers to inject malicious code into log files, which is executed when administrators view affected logs. Can lead to complete system compromise. Affects versions prior to 10.8.2 and 11.2.1
Affected Versions:
- All versions below 10.8.3
- All versions below 11.2.3
- Legacy versions 7, 8, and 9 (no longer supported)
Secure Versions:
- CrushFTP 10.8.3 or higher
- CrushFTP 11.2.3 or higher
Mitigation Steps:
- Immediate upgrade to secure versions (10.8.3+ or 11.2.3+)
- For v10: Configure allowed email reset URL domains in Preferences > WebInterface > MiniURL
- For v11: Set specific domain patterns in Preferences > WebInterface > Login Page
- Users of v7-9 must upgrade to a supported version
