CrushFTP has issued urgent warnings to its customers regarding an exploited zero-day vulnerability identified and promptly addressed in newly released software versions. The company emphasized the critical need for users to patch their servers without delay.
In a private memo circulated to customers, CrushFTP alerted them to the zero-day vulnerability and stressed the importance of applying the latest updates released on the same day to mitigate the risk of exploitation. The vulnerability, which enables unauthenticated attackers to bypass the user's virtual file system (VFS) and access system files, poses a significant security threat.
According to CrushFTP, organizations utilizing a DMZ (demilitarized zone) perimeter network in front of their primary CrushFTP instance are safeguarded against these attacks.
The company's public security advisory detailed the severity of the zero-day vulnerability and its potential consequences. It was disclosed that unauthorized users, both authenticated and unauthenticated, could exploit this flaw via the web interface to retrieve system files outside their designated VFS, potentially leading to further escalation of access.
CrushFTP also advised customers still running version 9 of its software to upgrade immediately to version 11 or apply the necessary updates through the dashboard. The company assured users that a rollback option is available in case of any issues or functional regressions following the update.
Simon Garrelou of Airbus CERT initially reported the zero-day vulnerability which has been addressed in CrushFTP versions 10.7.1 and 11.1.0.
Reports from Shodan indicate that approximately 2,700 CrushFTP instances have their web interface exposed online, making them potential targets for exploitation. However, the actual number of unpatched instances remains unknown.
Further details surrounding the exploitation of this vulnerability have been confirmed by cybersecurity firm CrowdStrike. According to their intelligence report, threat actors have been actively exploiting the CrushFTP zero-day vulnerability in targeted attacks against multiple U.S. organizations. Evidence suggests that this campaign is driven by intelligence-gathering objectives, possibly with political motivations.
CrowdStrike's Falcon OverWatch and Falcon Intelligence teams have observed the zero-day exploit being used in a deliberate and targeted manner.
In response to these developments, CrushFTP customers are strongly advised to monitor the vendor's website for the latest updates and instructions regarding this vulnerability. Priority should be given to implementing patches to mitigate the risk of exploitation and potential compromise of sensitive data.
This incident follows a similar warning issued in November when CrushFTP customers were urged to address a critical remote code execution vulnerability (CVE-2023-43177) following its disclosure by Converge security researchers, who also provided a proof-of-concept exploit.
