The critical zero-day vulnerability in CrushFTP has been exploited in real-world attacks.

Crowdstrike experts warn that attackers have exploited a critical zero-day vulnerability in enterprise CrushFTP in targeted attacks. CrushFTP is a file server software that provides secure and efficient file transfer capabilities. It supports various protocols such as FTP, SFTP, FTPS, HTTP, HTTPS, WebDAV and WebDAV SSL, allowing users to securely transfer files over various networks. CrushFTP also provides support for automation, scripting, user management and extensive configuration options to meet the diverse needs of businesses and organizations.

Vulnerability in CrushFTP

CrushFTP has notified users about a vulnerability in the virtual file system that affects their FTP software and could potentially allow users to upload system files. "The vulnerability exists in CrushFTP versions v11 below 11.1, where users can escape their VFS and upload system files. This has been fixed in v11.1.0.

Clients using a DMZ in front of their main CrushFTP instance are protected thanks to the protocol conversion system it employs," the message states.

Vulnerability detection

The vulnerability was discovered by Simon Garrel from Airbus CERT. Crowdstrike researchers found that attackers exploited a critical zero-day vulnerability in targeted attacks. "On April 19, 2024, CrushFTP announced a vulnerability in the virtual file system present in their FTP software, which could allow users to upload system files. Falcon OverWatch and Falcon Intelligence observed this exploit being used on the battlefield in a targeted manner," Crowdstrike stated in a post on Reddit.

The vulnerability has not yet received its CVE. Pierluigi Paganini Follow me on Twitter: @securityaffairs and Facebook and Mastodon (SecurityAffairs - hack, day zero).