Now on Demand: Threat Detection and Incident Response (TDIR) Summit - All Sessions Available
Connect with us

Hi, what are you looking for?



CrushFTP Patches Exploited Zero-Day Vulnerability

CrushFTP patches a zero-day vulnerability allowing unauthenticated attackers to escape the VFS and retrieve system files.

CrushFTP on Friday released patches for a zero-day vulnerability in the file transfer server, warning customers of its in-the-wild exploitation.

Impacting CrushFTP versions 9, 10, and 11, the security defect allows an unauthenticated attacker to escape their virtual file system (VFS) and retrieve system files, potentially opening the door to further exploitation.

In its advisory, CrushFTP points out that customers using a DMZ server, which filters protocols and connections, are protected against attacks.

Patches were included in CrushFTP versions 10.71 and 11.1.0. Customers still using CrushFTP version 9 should upgrade to a patched release.

In a Friday notice to customers that was shared on Reddit, CrushFTP underlined that it was aware of in-the-wild exploitation, urging customers to apply the available patches immediately.

“Please take immediate action to patch ASAP. A vulnerability was reported today (April 19, 2024), and we patched it immediately. v10 version 10.71 is patched. v11 version 11.1.0 is patched. This vulnerability exists in the wild,” the vendor told customers.

CrushFTP has credited Simon Garrelou of Airbus CERT for discovering and reporting the vulnerability, but has not shared specific details on the observed attacks.

On Friday, cybersecurity firm CrowdStrike noted in a Reddit post that the vulnerability had been exploited in the wild in a targeted fashion, mainly against US entities.

Advertisement. Scroll to continue reading.

CrowdStrike said the observed attacks were likely focused on intelligence gathering or might have been politically motivated, but did not share further details.

A proprietary multi-protocol file transfer server available for Windows, macOS, and Linux, CrushFTP has been around since 1999 and is available as shareware, with a tiered pricing model.

Responding to a SecurityWeek inquiry, CrushFTP said that it has not received customer reports regarding successful exploits and that no security firm, other than Airbus CERT, has contacted it with information on potential attacks.

“Airbus CERT reported they had observed it in the wild, so we believe them, as they reported the vulnerability to us,” CrushFTP said. 

“We are hopeful customers will get updated before it becomes actively used in the wild. We are assisting customers in updating as fast as we can currently. Updating is simple, and customers should already be in practice of doing regular updates,” CrushFTP also said. 

While it could not confirm how many customers have updated to a patched release yet, CrushFTP said that interest in the issue has spiked, which should result in customers staying vigilant about updating. 

*updated with information from CrushFTP

Related: PoC Code Published for Just-Disclosed Fortra GoAnywhere Vulnerability

Related: SEC Investigating Progress Software Over MOVEit Hack

Related: Accellion to Retire File Transfer Service Targeted in Attacks

Written By

Ionut Arghire is an international correspondent for SecurityWeek.


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

Wendy Zheng named as CFO and Joe Diamond as CMO at cyber asset management firm Axonius.

Intelligent document processing company ABBYY has hired Clayton C. Peddy as CISO.

Digital executive protection services provider BlackCloak has appointed Ryan Black as CISO.

More People On The Move

Expert Insights