CrushFTP Zero-Day Could Allow Attackers To Gain Complete Server Access

CrushFTP disclosed a zero-day vulnerability (CVE-2024-4040) affecting versions below 10.7.1 and 11.1.0. The vulnerability allows remote attackers with low privileges to bypass the VFS sandbox and read arbitrary files on the underlying filesystem. 

It could be exploited for server-side template injection (SSTI) attacks, granting attackers complete control over the compromised CrushFTP server and allowing remote attackers to bypass authentication, read arbitrary files with root privileges, and execute code on the server. 

The vulnerability is especially dangerous because it requires no authentication, and a publicly available exploit code exists.

Attackers can leverage this vulnerability to steal data, install malware, or completely compromise the CrushFTP server.

CVE-2024-4040 allows unauthenticated attackers to read arbitrary files outside the Virtual File System (VFS) sandbox.

Free Webinar | Mastering WAAP/WAF ROI Analysis | Book Your Spot

CrushFTP Zero-Day Full Server Access

This vulnerability was exploited in the wild before a patch was available, and around 5,200 CrushFTP servers are vulnerable because they are exposed to the public Internet. 

A further consequence of this vulnerability is that it enables unauthenticated attackers to read files located outside the designated file system sandbox, which could result in privilege escalation and remote code execution.  

Upgrading to CrushFTP 11.1.0 or 10.7.1 (depending on the version series) is necessary to mitigate the vulnerability, which has been validated to effectively address CVE-2024-4040. 

A critical CrushFTP vulnerability (CVE-2024-4040) allows attackers with low privileges to escape the VFS sandbox and potentially gain full system compromise as CrushFTP recommends an immediate update to patched versions (10.7.1 or later for version 10, 11.1.0 or later for version 11). 

While a DMZ might be seen as partially protective by the vendor, Rapid7 suggests applying the patch immediately due to the severity of the issue and the uncertainty around the effectiveness of a DMZ. 

It is hard to find exploits for CVE-2024-4040 because payloads can be very different, and attackers can use evasion techniques to hide malicious content from logs, which makes it hard to tell them apart from normal traffic.

Attackers might be able to get around detection even if a reverse proxy is in place.  

Additionally, on April 23rd, 2024, a detection update was made available to address CVE-2024-4040, a server-side template injection vulnerability in CrushFTP.

The update includes information on how the vendor successfully fixed the vulnerability, detection rules for InsightIDR and Rapid7 MDR, and tools for finding vulnerable CrushFTP installations in InsightVM and Nexpose environments.

Looking to Safeguard Your Company from Advanced Cyber Threats? Deploy TrustNet to Your Radar ASAP.