In November 2023, CrushFTP customers were also warned to patch a critical remote code execution vulnerability (CVE-2023-43177) in the company's enterprise suite after Converge security researchers who reported the flaw released a proof-of-concept exploit three months after the flaw was addressed. In April 2024, CrushFTP also released security updates to patch an actively exploited zero-day vulnerability (CVE-2024-4040) that allowed unauthenticated attackers to escape the user's virtual file system (VFS) and download system files. As the company also explained in an email sent to customers on Friday (seen by BleepingComputer), the security flaw enables attackers to gain unauthenticated access to unpatched servers if they are exposed on the Internet over HTTP(S). CrushFTP warned customers of an unauthenticated HTTP(S) port access vulnerability and urged them to patch their servers immediately. While the email says this vulnerability only affects CrushFTP v11 versions, an advisory issued on the same day says that both CrushFTP v10 and v11 are impacted, as cybersecurity company Rapid7 first noted. At the time, cybersecurity company CrowdStrike found evidence pointing to an intelligence-gathering campaign, likely politically motivated, with the attackers targeting CrushFTP servers at multiple U.S. organizations. File transfer products like CrushFTP are attractive targets for ransomware gangs, specifically Clop, which was linked to data theft attacks targeting zero-day vulnerabilities in MOVEit Transfer, GoAnywhere MFT, Accelion FTA, and Cleo software. As a workaround, those who can't immediately update CrushFTP v11.3.1+ (which fixes the flaw) can enable the DMZ (demilitarized zone) perimeter network option to protect their CrushFTP instance until security updates can be deployed.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Tue, 25 Mar 2025 20:15:15 +0000