Share this article on:
Hackers are likely already taking advantage of a vulnerability in a particular version of the file transfer application.
A vulnerability in the CrushFTP file transfer that allows users to “escape” the application’s virtual file system and download files is already being exploited, according to the software’s developers.
CrushFTP first warned of the vulnerability – CVE-2024-4040 – last week, warning in an update on the app’s wiki that a patched version needs to be rolled out.
“CrushFTP v11 versions below 11.1 have a vulnerability where users can escape their VFS and download system files,” the wiki update, dated 19 April, said. “This has been patched in v11.1.0.”
The company had suggested that users operating CrushFTP behind a DMZ were safe, but that advice was updated on 22 April.
“Customers using a DMZ in front of their main CrushFTP instance are partially protected with its protocol translation system it utilises,” CrushFTP’s wiki now said. “A DMZ, however, does not fully protect you, and you must update immediately.”
CrushFTP went into more detail on the vulnerability in a 20 April mass mail-out to its users, shared by a poster on Reddit.
“The bottom line of this vulnerability is that any unauthenticated or authenticated user via the WebInterface could retrieve system files that are not part of their VFS. This could lead to escalation as they learn more, etc,” the notification said.
“If you are still on CrushFTP v9, you need to upgrade to v11 immediately! Otherwise, perform an update directly in your CrushFTP dashboard.”
At the same time, security company CrowdStrike released its own analysis on Reddit, noting that “Falcon OverWatch and Falcon Intelligence have observed this exploit being used in the wild in a targeted fashion”.
CrowdStrike also said that “multiple US entities” were being targeted, possibly as a part of “politically motivated” intelligence gathering.
Today (23 April), a CrushFTP spokesperson has admitted that some customers are likely already compromised.
“I am sure there have been, and they just are slow to apply updates and don’t realise yet,” the spokesperson told Recorded Future.
“We have seen a customer who was already patched who was probed for the vulnerability. Had they not been updated, important config info would have been stolen. We can’t stress enough that customers need to update ASAP, or block all IPs except known good IPs and operate in a whitelisting mode.”
Vulnerabilities in file transfer tools can lead to cascading attacks on a large number of companies. Last year’s MOVEit hack – which saw the Clop ransomware gang take advantage of a similar vulnerability – has racked up 2,611 victim organisations to date, for instance.
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.