Zero-Day

CrushFTP Zero-Day Could Allow Attackers To Gain Complete Server Access

CrushFTP disclosed a zero-day vulnerability (CVE-2024-4040) affecting versions below 10.7.1 and 11.1.0. The vulnerability allows remote attackers with low privileges to bypass the VFS sandbox and read arbitrary files on the underlying filesystem. 

It could be exploited for server-side template injection (SSTI) attacks, granting attackers complete control over the compromised CrushFTP server and allowing remote attackers to bypass authentication, read arbitrary files with root privileges, and execute code on the server. 

The vulnerability is especially dangerous because it requires no authentication, and a publicly available exploit code exists.

Attackers can leverage this vulnerability to steal data, install malware, or completely compromise the CrushFTP server.

CVE-2024-4040 allows unauthenticated attackers to read arbitrary files outside the Virtual File System (VFS) sandbox.

Free Webinar | Mastering WAAP/WAF ROI Analysis | Book Your Spot

CrushFTP Zero-Day Full Server Access

This vulnerability was exploited in the wild before a patch was available, and around 5,200 CrushFTP servers are vulnerable because they are exposed to the public Internet. 

A further consequence of this vulnerability is that it enables unauthenticated attackers to read files located outside the designated file system sandbox, which could result in privilege escalation and remote code execution.  

Upgrading to CrushFTP 11.1.0 or 10.7.1 (depending on the version series) is necessary to mitigate the vulnerability, which has been validated to effectively address CVE-2024-4040. 

A critical CrushFTP vulnerability (CVE-2024-4040) allows attackers with low privileges to escape the VFS sandbox and potentially gain full system compromise as CrushFTP recommends an immediate update to patched versions (10.7.1 or later for version 10, 11.1.0 or later for version 11). 

While a DMZ might be seen as partially protective by the vendor, Rapid7 suggests applying the patch immediately due to the severity of the issue and the uncertainty around the effectiveness of a DMZ. 

It is hard to find exploits for CVE-2024-4040 because payloads can be very different, and attackers can use evasion techniques to hide malicious content from logs, which makes it hard to tell them apart from normal traffic.

Attackers might be able to get around detection even if a reverse proxy is in place.  

Additionally, on April 23rd, 2024, a detection update was made available to address CVE-2024-4040, a server-side template injection vulnerability in CrushFTP.

The update includes information on how the vendor successfully fixed the vulnerability, detection rules for InsightIDR and Rapid7 MDR, and tools for finding vulnerable CrushFTP installations in InsightVM and Nexpose environments.

Looking to Safeguard Your Company from Advanced Cyber Threats? Deploy TrustNet to Your Radar ASAP.

Guru Baran

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Recent Posts

LATRODECTUS Loader Getting Popular Among Cybercriminals, Is It Replacing ICEDID!

Hackers use loaders to bypass security measures and run harmful code in a genuine process's…

3 hours ago

30+ Tesla Cars Hacked Using Third-Party Software

A security researcher identified a vulnerability in TeslaLogger, a third-party software used to collect data…

2 days ago

How to Use Threat Intelligence Feeds for SOC/DFIR Teams

Threat intelligence feeds provide real-time updates on indicators of compromise (IOCs), such as malicious IPs…

2 days ago

YARA-X, The Malware Researchers Toolbox Evolved

Malware experts all over the world can't do their jobs without YARA. YARA has been…

2 days ago

SugarGh0st RAT Attacking Organizations & Individuals in AI Research

The cybersecurity company Proofpoint has found a new operation using the SugarGh0st Remote Access Trojan…

2 days ago

New Cyber Attack Targeting Facebook Business Accounts

The email campaign impersonates the Facebook Ads Team to trick users into clicking a malicious…

2 days ago