Patch Now: CrushFTP Zero-Day Cloud Exploit Targets US Orgs

An exploit for the vulnerability allows unauthenticated attackers to escape a virtual file system sandbox to download system files and potentially achieve RCE.

Virtual file transfer system provider CrushFTP and various security researchers are sounding the alarm about a
sandbox escape
flaw in the CrushFTP server that attackers already have exploited as a zero-day in attacks against organizations in the US.
CrushFTP is a multiprotocol, multiplatform, cloud-based file transfer server. The security vulnerability, tracked as

CVE-2024-4040
, is an improper input validation bug in the CrushFTP file transfer server version 11.1. The company unveiled and
patched the flaw
on April 19 with the release of version 11.1.0 of the product; however, there already were various reports of threat actors hammering the flaw with an existing exploit.
These attacks, which were potentially politically motivated, were targeted in nature for intelligence gathering and detected at various US entities, according to Crowdstrikes threat hunters Falcon OverWatch and Falcon Intelligence, which
published an advisory
on Reddit.
The attack scenario is developing, with new research by Tenable published April 23 identifying more than 7,100 CrushFTP servers
publicly accessible
based on a Shodan query in a Nuclei template created by h4sh, according to the report. However, its unclear how many of these systems are potentially vulnerable, Satnam Narang, a Tenable senior staff research engineer, noted in the post.
Attacks are likely to continue on unpatched servers given that
a proof-of-concept (PoC) exploit
for the flaw is now publicly available, posted April 23 to GitHub by the researcher who discovered and reported the flaw to CrushFTP, Simon Garrelou of Airbus Community Emergency Response Team (CERT), Narang added.
Other attackers also aim to benefit from all the attention in the flaw, by targeting users with fake PoCs, Narang wrote, noting there already is a repository posted to GitHub that directs users to a third-party site called SatoshiDisk, which requests a payment of 0.00735 bitcoin (around $513) for an alleged exploit.
It is unlikely that the exploit code will work and we do not expect it to be malicious in nature, Narang wrote. Instead, it is more likely that the attackers are seeking to make money from the interest in the exploit code for this vulnerability.
The vulnerability as described by the vendor is an arbitrary read flaw that allows an attacker with low privileges to escape the servers
virtual file system (VFS)
sandbox to access and download system files.
However, there is evidence that it is more to the flaw than has so far been reported, Rapid7 researchers noted in a blog post published on April 23.
Although the vulnerability has been formally described as an arbitrary file read, Rapid7 believes that it can be more accurately categorized as a server-side template injection (SSTI), Caitlin Condon, Rapid7s director of vulnerability intelligence, wrote in the post.
CVE-2024-4040 is a fully unauthenticated flaw and is easy to exploit;
successful exploitation
allows not only or arbitrary file read as root, but also authentication bypass for administrator account access and full remote code execution (RCE), she observed.
Successful exploitation allows a remote, unauthenticated attacker to access and potentially exfiltrate all files stored on the CrushFTP instance, Condon wrote.
The PoC exploit posted by Garrelou includes two scripts. The first, scan_host.py, attempts to use the vulnerability to read files outside the sandbox, according to the GitHub post.
If it succeeds, the script writes Vulnerable to standard output and returns with exit code 1, according to Garrelou. If exploiting the vulnerability does not succeed, the script writes Not vulnerable and exits with status code 0.
The second script, scan_logs.py, looks for indicators of compromise in a CrushFTP server installation directory and, upon finding them, will attempt to extract the IP that tried to exploit the server.
The best way for organizations with CrushFTP present in their environment to mitigate the situation is to update their systems to the patched version of the product now, the company and security researchers alike advised.
Customers using a front-end
demilitarized zone (DMZ) server
to process protocols and connections in front of their main CrushFTP instance are afforded partial protection from exploit due to the protocol translation system used in the DMZ, according to CrushFTP.
A DMZ, however, does not fully protect you, and you must update immediately, the company advised customers in its advisory. One of the factors complicating an organizations detection of exploitation of CVE-2024-4040 is that payloads can be delivered in many different forms, Rapid7s Condon noted.
When certain evasive techniques are leveraged, payloads will be redacted from logs and request history, and malicious requests will be difficult to discern from legitimate traffic, she wrote.
For this reason, Rapid7 recommends that CrushFTP customers harden their servers against administrator-level RCE attacks by enabling Limited Server mode with the most restrictive configuration possible. Condon added that they also should use firewalls wherever possible to aggressively restrict which IP addresses are permitted to access CrushFTP services.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Patch Now: CrushFTP Zero-Day Cloud Exploit Targets US Orgs