Over 1,400 CrushFTP Servers Vulnerable To Actively Exploited Bug

Last Friday, CrushFTP disclosed details of critical severity server-side template injection vulnerability in its file transfer software that is being actively exploited in attacks in the wild. Tracked as CVE-2024-4040, the flaw could enable actors to perform a virtual file system escape to read any file on the server’s file system, gain administrative privileges, and perform remote code execution to effectively compromise unpatched systems. Although patches were issued by the vendor, a recent scan from the Shadowserver threat monitoring platform indicates that there are still over 1,400 unpatched CrushFTP instances, the majority of which reside in the United States (725), followed by Germany (115) and Canada (108).

Security Officer Comments:
A proof-of-concept exploit has been issued for the flaw, which has been published on GitHub, making it easier for threat actors to leverage the exploit in attacks to compromise vulnerable CrushFTP instances. The vendor notes that the flaw is actively being exploited in attacks in the wild. While details of these attacks have been limited in disclosure, cybersecurity firm CrowdStrike says it has observed attacks targeting CrushFTP servers in multiple U.S. organizations. The firm noted that these attacks seem to be politically motivated, indicating that state-sponsored actors are behind the latest intrusions.

Suggested Corrections:
Vulnerabilities in file transfer solutions and software seem to be commonly sought after by actors, given the potential to steal sensitive data from organizations, which can be held hostage for ransom payments or in the case of nation-states, used to gain a geopolitical advantage. Last year, Cl0p ransomware was able to identify a zero-day vulnerability in the MOVEit file transfer application, enabling the gang to steal data from hundreds of organizations across the globe and net in a projected 100+ million dollars in ransom payments. Given that actors are now exploiting a similar vulnerability in CrushFTP, this highlights the need for organizations to prioritize in applying the patches released by the vendor and securing their appliances accordingly to thwart potential attacks.

For more information, please defer to CrushFTP’s advisory below: