overview
A critical security vulnerability (CVE-2024-4040) in CrushFTP, a widely used enterprise file transfer solution, has been found and is actively being exploited by attackers. This vulnerability allows attackers to escape their virtual file system and download system files, particularly if the solution’s WebInterface is exposed on the internet.
According to CrowdStrike, the recent targeting of CrushFTP hosts appears to be part of reconnaissance efforts. Multiple U.S. entities have been subjected to probing, indicating a potential political motivation behind this intelligence-gathering activity.
Exploitation of CVE-2024-4040 could allow for the unauthorized retrieval of system files, leading to escalation and further compromise. Affected versions include CrushFTP v11 and v10. Patched versions are v11.1.0 and v10.7.1. Customers on v9 should upgrade to v11.1.0 immediately. There is no definitive way to check for exploitation, making immediate patching important.
Customers using a DMZ in front of their main CrushFTP instance are only partially protected and are advised to upgrade immediately.
For guidance on how to upgrade to CrushFTP v11.1.0 and v10.7.1, please see CrushFTP’s advisory.
INDICATORS OF COMPROMISE (IoCs)
At this time, there are no known IoCs associated with CVE-2024-4040. Avertium remains vigilant in locating IoCs for our customers. Should any be located, Avertium will disclose them as soon as possible. For more information on how Avertium can help protect your organization, please reach out to your Avertium Service Delivery Manager or Account Executive.
SUPPORTING DOCUMENTATION