All versions before 10.7.1 and 11.1.0 of CrushFTP, a file transfer server supporting most encrypted and unencrypted file transfer protocols, have a server side template injection vulnerability [CVE 2024-4040].
Risks
CrushFTP indicates this vulnerability allows for the reading of files from the Virtual File System on the target server[1]. However, Rapid7 believes this vulnerability can lead to Remote Code Execution[2]. Either scenario poses an immediate risk to organization’s sensitive data if they use this software.
What To Do
- Refer to the CrushFTP wiki and update CrushFTP.
- Consider infrastructure changes and place file transfer servers within a DMZ, instead of exposing the servers to the open Internet.
- Identify and review vendors with assets running CrushFTP:
- Search for Crushftp in your Bitsight for 4th Party risk portfolio.
- Search for CVE-2024-4040 in Vulnerability Detection.
Resources
- Crush FTP, “April 19th, 2024 - CVE-2024-4040”
- Rapid7, “Unauthenticated CrushFTP Zero-Day Enables Complete Server Compromise”
- April 24, 2024: Published.
Feedback
0 comments
Please sign in to leave a comment.