CrushFTP warns of actively exploited flaw, users asked to update immediately
Take action: If you are using CrushFTP in your infrastructure, wake up your engineers and start patching, because the service is being actively hacked.
Learn More
CrushFTP, a popular file transfer software, has issued an urgent warning to its users about a newly discovered zero-day vulnerability that is being exploited by hacking groups.
This critical security flaw allows unauthenticated attackers, as well as authenticated users via the WebInterface, to escape the user-defined virtual file system (VFS) and access system files that should be restricted. This could potentially lead to further security escalations as attackers gain access to sensitive information.
The vulnerability is tracked as CVE-2024-4040 (CVSS score 9.8) and was identified and a patch was released immediately on April 19th, 2024. Users are strongly urged to update their servers to the latest versions—CrushFTP 10.7.1 or 11.1.0.
There are still active servers operating on version 9 of CrushFTP which must be updated immediately. The company has provided a straightforward rollback option for users who experience issues or regressions post-update.
According to data from Shodan, approximately 2,700 CrushFTP instances are currently exposed online, and it remains unclear how many of these have not yet been patched.
