Connect with us

Hi, what are you looking for?


Malware & Threats

Over 1,400 CrushFTP Instances Vulnerable to Exploited Zero-Day

More than 1,400 CrushFTP servers remain vulnerable to an actively exploited zero-day for which PoC has been published.

More than 1,400 CrushFTP managed file transfer software instances remain vulnerable to a recently disclosed zero-day, according to data from the Shadowserver Foundation shows.

Tracked as CVE-2024-4040 (CVSS score of 9.8), the critical-severity bug is described as a server-side template injection that allows remote attackers to escape the virtual file system (VFS) sandbox, gain administrative privileges, and execute arbitrary code.

CrushFTP disclosed the flaw on April 19, warning customers of in-the-wild exploitation and urging them to upgrade to version 10.71 or 11.1.0, which address it. CrushFTP versions 9, 10, and 11 are affected.

On April 22, one day before Simon Garrelou of Airbus CERT, who was credited for discovering CVE-2024-4040, published proof-of-concept (PoC) code targeting the bug, CrushFTP updated its advisory to warn that using a DMZ in front of the application is no longer considered a protection option and that migrating to a patched version is essential.

On April 24, the US cybersecurity agency CISA added the security defect to its Known Exploited Vulnerabilities (KEV) catalog, setting deadlines for federal agencies to identify vulnerable hosts within their environments and patch them by May 1.

While details on the observed attacks are scarce, CrowdStrike warned a week ago that threat actors had been exploiting it in a targeted fashion, mainly against entities in the United States.

The concentration of attacks in the US is not surprising. Censys says that half of the roughly 5,000 hosts running CrushFTP servers are in the US, while Tenable claims there might be over 7,100 publicly accessible CrushFTP servers, with 2,900 of them in the US.

On Thursday, the Shadowserver Foundation said that more than 1,400 publicly accessible CrushFTP installations were likely impacted by the exploited vulnerability. Of these, over 700 are in the US.

Advertisement. Scroll to continue reading.

CrushFTP customers are advised to update to a patched version of the enterprise file transfer application as soon as possible. Not only is CVE-2024-4040 under active exploitation, but, according to Rapid7, “it is fully unauthenticated and trivially exploitable.”

“Successful exploitation allows for not only arbitrary file read as root, but also authentication bypass for administrator account access and full remote code execution. Successful exploitation allows a remote, unauthenticated attacker to access and potentially exfiltrate all files stored on the CrushFTP instance,” Rapid7 explains.

The cybersecurity firm also notes that detecting exploitation attempts is difficult because payloads for this bug can be delivered in multiple forms and logs and request histories can be manipulated to remove evidence of attacks. Furthermore, even CrushFTP instanced behind a standard reverse proxy may be targeted.

Related: Thousands of Palo Alto Firewalls Impacted by Exploited Zero-Day

Related: Critical WordPress Automatic Plugin Flaw Exploited to Inject Backdoors

Related: Magento Vulnerability Exploited to Deploy Persistent Backdoor

Written By

Ionut Arghire is an international correspondent for SecurityWeek.


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

Digital executive protection services provider BlackCloak has appointed Ryan Black as CISO.

Joe Levy has been appointed Sophos' permanent CEO, and Jim Dildine has been named the company's CFO.

CISA executive assistant director for cybersecurity Eric Goldstein is leaving the agency after more than three years.

More People On The Move

Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.