Exploit proof of concept released for CrushFTP, patch ASAP

published: Nov. 18, 2023

Take action: If you are using CrushFTP, patch ASAP. Since it's a file transfer server, it's unlikely you can lock it down to internal network. Even if you patch, enable automated security updates, and add more controls through a more secure password algorithm use in CrushFTP and run the server in a limited privilege system account. Or just wait for the hackers to find you.

Learn More

A critical remote code execution (RCE) vulnerability in CrushFTP, an enterprise file transfer suite, has been exposed through the release of a proof-of-concept exploit.

Identified in August 2023 by researchers at Converge and tracked as CVE-2023-43177 (CVSS3 score 9.8), itthe vulnerability allows attackers, even without authentication, to manipulate files, execute commands, and access sensitive information like plaintext passwords.

The exploit operates via an unauthenticated mass-assignment flaw, utilizing AS2 (Applicability Statement 2) header parsing to alter user session attributes, enabling actions ranging from file manipulation to system-wide control. A mass-assignment flaw occurs when an application automatically assigns user input to variables or objects without proper filtering or validation. This means that an attacker can supply multiple values that the application will blindly trust and assign to internal variables or properties.

Attackers can deliver malicious payloads through standard web headers on common ports, subsequently manipulating Java session data to gain administrative privileges. With admin access, they can further exploit CrushFTP admin panel vulnerabilities to run arbitrary Java code.

The developers have released a patch with CrushFTP version 10.5.2. With the PoC being available, cyber crime gangs will make automted scanners to find CrushFTP instances and automatically attack them. Administrators should patch ASAP.

Despite a patch being available, not all security risks are neutralized post-update. Users should defninitely upgrade CrushFTP, and enable automated security updates. They should also switch to a more secure password algorithm such as Argon, conduct audits for unauthorized access,  enable a new 'Limited Server' mode for heightened security, operate CrushFTP under a limited privilege system account, and possibly grant access to CrushFTP from trusted IP sources.

Exploit proof of concept released for CrushFTP, patch ASAP