



Maker of CrushFTP file transfer tool urges users to upgrade as soon as possible

Hackers may have already exploited vulnerabilities in certain versions of file transfer applications.

Software developers say a vulnerability in CrushFTP file transfer is already being exploited by allowing users to bypass an application's virtual file system and download files.

CrushFTP first warned about the CVE-2024-4040 vulnerability last week, warning that it needed to publish a patched version in an update to its app wiki.

According to a Wiki update dated April 19, CrushFTP v11 versions below 11.1 contain a vulnerability that allows users to escape VFS and download system files. This was patched in v11.1.0.

The company had previously suggested that users operating CrushFTP behind a DMZ were safe, but that advice was updated on April 22nd.

According to the CrushFTP wiki, customers using a DMZ in front of their main CrushFTP instance are partially protected by its protocol conversion system. However, the DMZ is not completely secure and should be updated soon.

CrushFTP further explained the vulnerability in an April 20 mass email to users that was shared by a poster on Reddit.

The essence of this vulnerability is that an unauthenticated or authenticated user could potentially obtain system files that are not part of the VFS via the WebInterface. This could result in escalation as the learner learns more, the notice states.

If you are still using CrushFTP v9, you should upgrade to v11 immediately. Otherwise, perform the update directly in the CrushFTP dashboard.

At the same time, security firm CrowdStrike published its own analysis on Reddit, noting that Falcon OverWatch and Falcon Intelligence had observed this exploit in the wild in a targeted manner.

CrowdStrike also said multiple U.S. companies were being targeted as part of possibly politically motivated intelligence gathering.

Today (April 23), a CrushFTP spokesperson confirmed that some customers may have already been compromised.

A spokesperson told Recorded Future that it must have been there, but the update was delayed and they just didn't notice it yet.

We have confirmed that customers who have already been patched have been investigated for vulnerabilities. If it had not been updated, important configuration information would have been stolen. We cannot stress enough that customers should either update as soon as possible or operate in whitelist mode, blocking all but known good IPs.

Vulnerabilities in file transfer tools could lead to cascading attacks against numerous companies. For example, last year's MOVEit hack, in which the Clop ransomware group exploited a similar vulnerability, has affected 2,611 organizations so far.

