TLDR:
- A critical CrushFTP zero-day vulnerability allows attackers to exfiltrate all files on the server.
- A patch is available, but active exploitation has been observed by cybersecurity vendors like Airbus CERT and CrowdStrike.
A critical CrushFTP zero-day vulnerability, identified as CVE-2024-4040, has been actively exploited by threat actors, allowing them to bypass authentication, gain administrative access, and perform full remote code execution on the file transfer server. The vulnerability affects CrushFTP Virtual File System (VFS) in versions below 11.1, but a patch has been released to fix the issue. The vulnerability was discovered and reported by security engineer Simon Garrelou of Airbus CERT, who observed active exploitation of the vulnerability in the wild. Other cybersecurity vendors like CrowdStrike also confirmed active exploitation of CVE-2024-4040.
The vulnerability, also referred to as a “VFS Sandbox Escape,” allows remote attackers to read files from the filesystem outside of VFS Sandbox, making it a critical security issue. Rapid7 has further analyzed the vulnerability, highlighting that successful exploitation could lead to the exfiltration of all files stored on the CrushFTP instance. The company advised customers to follow mitigation recommendations and apply the patch to protect their servers.
Security researchers have observed thousands of internet-exposed CrushFTP servers, with many still vulnerable to attacks due to delayed updates. Despite CrushFTP releasing a fix for the vulnerability, some customers have faced challenges in updating and mitigating the issue. It’s important for organizations using CrushFTP to act quickly to secure their servers and prevent potential data breaches.