All versions before 10.7.1 and 11.1.0 of CrushFTP, a file transfer server supporting most encrypted and unencrypted file transfer protocols, have a server side template injection vulnerability [CVE 2024-4040].
See the resource center.
Recent News
- Crowdstrike has reported one actor actively exploiting the CrushFTP vulnerability across US entities for intelligence gathering purposes. A CrushFTP official told The Record that they do not know of any affected customers, but that compromise is likely.
- Proof of concept code is available via Airbus.
- Accounts of the number of vulnerable servers vary, with Rapid7 indicating 5.6k and media reports indicating 2.6k via Shodan.
Bitsight Status
We have detected that in 2024, 6.5k CrushFTP servers were detected globally and approximately 1% of companies may directly depend on CrushFTP.
We are evaluating a high confidence detection capability for viability.
Feedback
0 comments
Please sign in to leave a comment.