CrushFTP Zero-Day [CVE-2024-4040] – April 24, 2024 Ingrid All versions before 10.7.1 and 11.1.0 of CrushFTP, a file transfer server supporting most encrypted and unencrypted file transfer protocols, have a server side template injection vulnerability [CVE 2024-4040]. See the resource center. Recent News Crowdstrike has reported one actor actively exploiting the CrushFTP vulnerability across US entities for intelligence gathering purposes. A CrushFTP official told The Record that they do not know of any affected customers, but that compromise is likely. Proof of concept code is available via Airbus. Accounts of the number of vulnerable servers vary, with Rapid7 indicating 5.6k and media reports indicating 2.6k via Shodan. Bitsight Status We have detected that in 2024, 6.5k CrushFTP servers were detected globally and approximately 1% of companies may directly depend on CrushFTP. We are evaluating a high confidence detection capability for viability. Related articles Critical Command Injection Vulnerability in Some Versions of Palo Alto PAN-OS [CVE-2024-3400] – April 12, 2024 Portfolio Vulnerabilities Report API Fields: Risk Types Findings: Issue Tracking Data Collection Methods Overview Feedback 0 comments Please sign in to leave a comment.