Update now! CrushFTP vulnerability allows data theft and possibly server compromise

Some 2,700 CrushFTP instances have their web interface exposed online.

On April 19th, 2024, CrushFTP published a security advisory about a vulnerability in all versions of their software before 10.7.1 and 11.1.0.

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The CVE for this vulnerability is CVE-2024-4040, described as:

A server-side template injection vulnerability in CrushFTP in all versions before 10.7.1 and 11.1.0 on all platforms allows unauthenticated remote attackers to read files from the filesystem outside of the VFS Sandbox, bypass authentication to gain administrative access, and perform remote code execution on the server.

Roughly translated, this means that every CrushFTP server that is accessible from the internet will allow an attacker to access files even outside of the designated sandbox. The German Bundesamt für Sicherheit in der Informationstechnik (BSI) also states it’s aware of targeted attacks and automated scans for vulnerable servers.

The Cybersecurity & Infrastructure Security Agency (CISA) has added the vulnerability to the list of known exploited vulnerabilities. This means that Federal Civilian Executive Branch (FCEB) agencies need to remediate this vulnerability by May 1, 2024, in order to protect their devices against active threats.

In a private memo CrushFTP urged customers to patch their servers immediately, which is understandable since an exploit for the vulnerability was used in targeted attacks. Reportedly, some 2,700 CrushFTP instances have their web interface exposed online.

Despite earlier communications, not even a DMZ will fully protect you and you should update immediately. A DMZ or demilitarized zone is a perimeter network that adds an extra layer of security between an organization’s local-area network and untrusted traffic. To protect the corporate local area network, the web server is installed on a computer separate from internal resources. The DMZ enables communication between protected business resources, like internal databases, and qualified traffic from the internet.

How to update CrushFTP within the same major version number

  • Login to the dashboard using your “crushadmin” equivalent user in the WebInterface.
  • Click on the about tab.
  • Click Update > Update Now.
  • Wait roughly 5 minutes for the files to download, unzip, and be copied in place. CrushFTP will restart automatically when it’s done.

CrushFTP assured customers that there is a simple rollback in case you have an issue or regression with some functionality.

If you have noticed or even suspect compromise, every unencrypted password stored on the server should be considered compromised. Change the password at your earliest convenience and enable multi-factor authentication (MFA) where possible.

We don’t just report on vulnerabilities—we identify them, and prioritize action.

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using ThreatDown Vulnerability and Patch Management.