Over 1,400 CRUSHFTP servers, accessible from the Internet, are at risk of attacks due to a critical server vulnerability known as CVE-2024-4040. This vulnerability allows unauthorized attackers to gain access to files and execute remote code on unsecured systems.
CRUSHFTP has advised customers to update immediately in order to prevent attempts to breach the limits of a virtual file system (VFS) and download system files.
Researchers from rapid7 have confirmed that the vulnerability poses a high level of danger and can be easily exploited. They explained, “Successful exploitation not only allows for reading arbitrary files as Root, but also bypasses authentication to access the administrator’s account and execute code.”
SHADOWSERVER reports that a majority of the vulnerable CrushFTP servers are located in countries such as the USA (725), Germany (115), and Canada (108). Shodan has identified over 5200 Internet-accessible CrushFTP servers, but there is no information on how many of them are susceptible to attacks.
The vulnerability is actively being exploited in targeted attacks and was used as a Zero-Day even before the official patch was released. Hackers are also leveraging this loophole in politically motivated campaigns to gather intelligence.
It is recommended that CRUSHFTP users update their installations to secure versions immediately and regularly check the manufacturer’s website for the latest instructions to protect against ongoing exploitation.
The US Cybersecurity and Infrastructure Security Agency (CISA) has also added CVE-2024-4040 to the list of known exploited vulnerabilities and directed local federal agencies to secure vulnerable servers within a week.