A vulnerability (CVE-2024-4040) in enterprise file transfer solution CrushFTP is being exploited by attackers in a targeted fashion, according to Crowdstrike.
The vulnerability allows attackers to escape their virtual file system and download system files (i.e., configuration files), but only if the solution’s WebInterface is exposed on the internet.
According to Censys, there are currently 9,600+ publicly-exposed CrushFTP hosts (virtual & physical), mostly in North America and Europe.
About CVE-2024-4040
CrushFTP sent out notices about CVE-2024-4040 to customers on Friday (April 19).
“The bottom line of this vulnerability is that any unauthenticated or authenticated user via the WebInterface could retrieve system files that are not part of their VFS. This could lead to escalation as they learn more, etc.,” the company said.
Discovered by Simon Garrelou, a security engineer at Airbus CERT, the vulnerability affects CrushFTP v11 and v10, and has been patched in v11.1.0 and v10.7.1. Customers still running CrushFTP v9 should upgrade to version v11.1.0.
Customers using a DMZ in front of their main CrushFTP instance are only partially protected. All are advised to upgrade hosts immediately.
According to the company, there is no definitive way to check whether the exploit has been leveraged against an internet-facing CrushFTP host.
“The nature of this was common words that could be in your log already. So there is no silver bullet search term to check for,” they said.
The targets
These attacks against CrushFTP hosts seem to be reconnaissance efforts. Crowdstrike said that multiple US entities have been probed, and that this intelligence-gathering activity could be politically motivated.
But zero-days in enterprise-grade file transfer solutions have also lately been popular with ransomware-wielding attackers.