CrushFTP has issued an urgent warning to its customers about an actively exploited zero-day vulnerability. The company has urged users to immediately patch their servers, as detailed in a private memo and public security advisory released today.
The zero-day bug allows unauthenticated attackers to bypass the user's virtual file system (VFS) and download system files. However, users who have a DMZ (demilitarized zone) perimeter network in front of their main CrushFTP instance are safeguarded against these attacks.
In an email to customers, CrushFTP stated, "Please take immediate action to patch ASAP. A vulnerability was reported today (April 19th, 2024), and we patched it immediately. [..] This vulnerability exists in the wild."
The company further explained that any unauthenticated or authenticated user via the WebInterface could retrieve system files that are not part of their VFS. This could potentially lead to an escalation as they learn more.
CrushFTP also advised customers running CrushFTP v9 to immediately upgrade to v11 or update their instance via the dashboard. "There is a simple rollback in case you have an issue or regression with some functionality. Update immediately," CrushFTP warned.
The security flaw was reported by Simon Garrelou of Airbus CERT and is now fixed in CrushFTP versions 10.7.1 and 11.1.0.
According to Shodan, at least 2,700 CrushFTP instances have their web interface exposed online to attacks, although it's impossible to determine how many have yet to be patched.
Cybersecurity company CrowdStrike confirmed the vulnerability in an intelligence report. The company's Falcon OverWatch and Falcon Intelligence teams have observed the CrushFTP zero-days being exploited in targeted attacks, primarily against U.S. organizations. The evidence suggests a likely politically motivated intelligence-gathering campaign.
CrushFTP users are advised to continue following the vendor's website for the most up-to-date instructions and prioritize patching.
In November, CrushFTP customers were also warned to patch a critical remote code execution vulnerability (CVE-2023-43177) after Converge security researchers reported the flaw and released a proof-of-concept exploit.
