CVE-2024-4040:
Unauthenticated server-side template injection in CrushFTP enables arbitrary file read outside the VFS sandbox, authentication bypass, and remote code execution. The vulnerability affects CrushFTP versions prior to 10.7.1 and 11.1.0 on all platforms.
Score
A numerical rating that indicates how dangerous this vulnerability is.
10.0Critical- Published Date:Apr 22, 2024
- CISA KEV Date:Apr 24, 2024
- Industries Affected:20
2 DaysThreat Predictions
- EPSS Score:94.4
- EPSS Percentile:100%
Exploitability
- Score:3.9
- Attack Vector:NETWORK
- Attack Complexity:LOW
- Privileges Required:NONE
- User Interaction:NONE
- Scope:CHANGED
Impact
- Score:6.0
- Confidentiality Impact:HIGH
- Integrity Impact:HIGH
- Availability Impact:HIGH
Description Preview
Unauthenticated server-side template injection in CrushFTP enables arbitrary file read outside the VFS sandbox, authentication bypass, and remote code execution. The vulnerability affects CrushFTP versions prior to 10.7.1 and 11.1.0 on all platforms.
Overview
This CVE documents a critical server-side template injection flaw in CrushFTP that allows unauthenticated attackers to read files outside the sandbox, bypass authentication to gain admin access, and run arbitrary code on the server. It affects all platforms and versions up to but not including 10.7.1 and 11.1.0. With a CVSS v3.1 score of 9.8, the vulnerability presents a high-severity, network-exposed risk that can lead to complete compromise of the affected CrushFTP server, including confidentiality, integrity, and availability impacts.
Remediation
- Upgrade to fixed versions: update CrushFTP to 10.7.1 or later, and 11.1.0 or later (patched releases address the template-injection flaw).
- If immediate upgrade is not possible:
- Isolate the affected server from untrusted networks (restrict Internet access; place behind a firewall or reverse proxy with strict allowlists).
- Disable or minimize features that utilize dynamic templates or template rendering if feasible.
- Apply web application/firewall rules to detect and block anomalous template input patterns; monitor for exploitation indicators in logs.
- After patching or mitigation, perform credential hygiene (rotate admin credentials, review active sessions) and conduct a post-change security review.
- Validate the fix by testing against known PoCs or exploit indicators and review vendor advisories for any guidance or additional patches.
- Maintain backups and run in a test environment prior to full production deployment when possible.
References
- - https://www.crushftp.com/crush11wiki/Wiki.jsp?page=Update
- - https://www.crushftp.com/crush10wiki/Wiki.jsp?page=Update
- - https://www.rapid7.com/blog/post/2024/04/23/etr-unauthenticated-crushftp-zero-day-enables-complete-server-compromise/
- - https://www.bleepingcomputer.com/news/security/crushftp-warns-users-to-patch-exploited-zero-day-immediately/
- - https://www.reddit.com/r/cybersecurity/comments/1c850i2/all_versions_of_crush_ftp_are_vulnerable/
- - https://github.com/airbus-cert/CVE-2024-4040
- - https://www.cisa.gov/known-exploited-vulnerabilities-catalog?search_api_fulltext=CVE-2024-4040
Armis Early Warning
Armis Early Warning provides proactive threat intelligence and early detection capabilities.Click here to learn more.
- Armis Alert Date:Apr 23, 2024
- CISA KEV Date:Apr 24, 2024
- Days Early:2 Days
Industries Affected
Below is a list of industries most commonly impacted or potentially at risk based on intelligence.
