CrushFTP systems vulnerability - 20240430001

Overview

A server side template injection vulnerability in CrushFTP in all versions before 10.7.1 and 11.1.0 on all platforms allows unauthenticated remote attackers to read files from the filesystem outside of the VFS Sandbox, bypass authentication to gain administrative access, and perform remote code execution on the server.

What is vulnerable?

CVE	Severity	CVSS	Product(s) Affected	Dated
CVE-2024-4040	Critical	10.0	CrushFTP versions prior to 10.7.1 and 11.1.0	22-04-2024

What has been observed?

There is no evidence of exploitation affecting Western Australian Government networks at the time of publishing.

Recommendation

The WA SOC recommends administrators apply the solutions as per vendor instructions to all affected devices within expected timeframe of one month... (refer Patch Management):

• Crush11wiki: Update (crushftp.com)

Additional References

• CVE-2024-4040 | Tenable®
• CVE-2024-4040 | AttackerKB
• Over 1,400 CrushFTP Instances Vulnerable to Exploited Zero-Day - SecurityWeek