CrushFTP Zero-Day [CVE-2024-4040] Ingrid All versions before 10.7.1 and 11.1.0 of CrushFTP, a file transfer server supporting most encrypted and unencrypted file transfer protocols, have a server side template injection vulnerability [CVE 2024-4040]. Risks CrushFTP indicates this vulnerability allows for the reading of files from the Virtual File System on the target server[1]. However, Rapid7 believes this vulnerability can lead to Remote Code Execution[2]. Either scenario poses an immediate risk to organization’s sensitive data if they use this software. What To Do Refer to the CrushFTP wiki and update CrushFTP. Consider infrastructure changes and place file transfer servers within a DMZ, instead of exposing the servers to the open Internet. Identify and review vendors with assets running CrushFTP: Search for Crushftp in your Bitsight for 4th Party risk portfolio. Bitsight for 4th Party Continuous Monitoring Cyber Insurance Search for CVE-2024-4040 in Vulnerability Detection. Resources Crush FTP, “April 19th, 2024 - CVE-2024-4040” Rapid7, “Unauthenticated CrushFTP Zero-Day Enables Complete Server Compromise” April 24, 2024: Published. Related articles CUPS Printing System Vulnerability Chain ArcaneDoor Vulnerabilities [CVE-2024-20353, CVE-2024-20359] Patching Cadence Risk Vector Total Risk Monitoring Subscriptions CM App: 4th Party Risk Feedback 0 comments Please sign in to leave a comment.