cbcvebase.
CVE-2023-43177
published 2023-11-18

CVE-2023-43177: CrushFTP prior to 10.5.1 is vulnerable to Improperly Controlled Modification of Dynamically-Determined Object Attributes.

PriorityP187critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
81.80%
99.6th percentile
CrushFTP prior to 10.5.1 is vulnerable to Improperly Controlled Modification of Dynamically-Determined Object Attributes.

Affected

1 ranges
VendorProductVersion rangeFixed in
crushftpcrushftp< 10.5.210.5.2

Detection & IOCsextracted from sources · hover to see the quote

pathsessions.obj
cookiesession cookies of valid authenticated users
  • Detect exploitation attempts via anomalous HTTP request headers targeting CrushFTP's AS2 header parsing — attackers inject specially crafted header key-value pairs to manipulate session properties without authentication.
  • Monitor CrushFTP logs for unexpected calls to Java's 'putAll()' function, which is abused to overwrite session data and impersonate administrator accounts.
  • Alert on invocations of the 'drain_log()' function within CrushFTP, used by attackers to manipulate files and maintain stealthiness post-compromise.
  • Monitor for unauthorized access or modification of the 'sessions.obj' file in the CrushFTP installation folder, which is used to hijack live admin sessions.
  • Detect abuse of CrushFTP's admin panel SQL driver loading and testDB feature, which is exploited post-privilege-escalation to execute arbitrary Java code.
  • Web server logs will contain traces of exploit payloads delivered via HTTP headers on ports 80, 443, 8080, and 9090 — review logs for anomalous header values associated with AS2 parsing.
  • The exploit chain begins with an unauthenticated mass-assignment vulnerability via AS2 header parsing — flag unauthenticated requests with unusual or excessive custom headers to CrushFTP endpoints.
  • ·A public Metasploit exploit module exists for CVE-2023-43177, enabling unauthenticated RCE. Patch to CrushFTP 10.5.2 or later is required; versions prior to 10.5.1 are confirmed vulnerable.
  • ·Applying the patch alone may not fully secure CrushFTP endpoints — additional hardening steps (Argon password algorithm, user audits, Limited Server mode, reverse proxy) are recommended.
  • ·Approximately 10,000 public-facing CrushFTP instances were identified at time of disclosure, representing a large attack surface for opportunistic exploitation following PoC release.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.