CVE-2023-43177
published 2023-11-18CVE-2023-43177: CrushFTP prior to 10.5.1 is vulnerable to Improperly Controlled Modification of Dynamically-Determined Object Attributes.
PriorityP187critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
81.80%
99.6th percentile
CrushFTP prior to 10.5.1 is vulnerable to Improperly Controlled Modification of Dynamically-Determined Object Attributes.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| crushftp | crushftp | < 10.5.2 | 10.5.2 |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect exploitation attempts via anomalous HTTP request headers targeting CrushFTP's AS2 header parsing — attackers inject specially crafted header key-value pairs to manipulate session properties without authentication. ↗
- →Monitor CrushFTP logs for unexpected calls to Java's 'putAll()' function, which is abused to overwrite session data and impersonate administrator accounts. ↗
- →Alert on invocations of the 'drain_log()' function within CrushFTP, used by attackers to manipulate files and maintain stealthiness post-compromise. ↗
- →Monitor for unauthorized access or modification of the 'sessions.obj' file in the CrushFTP installation folder, which is used to hijack live admin sessions. ↗
- →Detect abuse of CrushFTP's admin panel SQL driver loading and testDB feature, which is exploited post-privilege-escalation to execute arbitrary Java code. ↗
- →Web server logs will contain traces of exploit payloads delivered via HTTP headers on ports 80, 443, 8080, and 9090 — review logs for anomalous header values associated with AS2 parsing. ↗
- →The exploit chain begins with an unauthenticated mass-assignment vulnerability via AS2 header parsing — flag unauthenticated requests with unusual or excessive custom headers to CrushFTP endpoints. ↗
- ·A public Metasploit exploit module exists for CVE-2023-43177, enabling unauthenticated RCE. Patch to CrushFTP 10.5.2 or later is required; versions prior to 10.5.1 are confirmed vulnerable. ↗
- ·Applying the patch alone may not fully secure CrushFTP endpoints — additional hardening steps (Argon password algorithm, user audits, Limited Server mode, reverse proxy) are recommended. ↗
- ·Approximately 10,000 public-facing CrushFTP instances were identified at time of disclosure, representing a large attack surface for opportunistic exploitation following PoC release. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-6wmg-7vxw-42fx: CrushFTP prior to 10
ghsa_unreviewed·2023-11-18
CVE-2023-43177 [CRITICAL] CWE-913 GHSA-6wmg-7vxw-42fx: CrushFTP prior to 10
CrushFTP prior to 10.5.1 is vulnerable to Improperly Controlled Modification of Dynamically-Determined Object Attributes.
VulnCheck
crushftp CrushFTP Improper Control of Dynamically-Managed Code Resources
vulncheck·2023·CVSS 9.8
CVE-2023-43177 [CRITICAL] crushftp CrushFTP Improper Control of Dynamically-Managed Code Resources
crushftp CrushFTP Improper Control of Dynamically-Managed Code Resources
CrushFTP prior to 10.5.1 is vulnerable to Improperly Controlled Modification of Dynamically-Determined Object Attributes.
Affected: crushftp CrushFTP
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://go.recordedfuture.com/hubfs/reports/ta-2024-0321.pdf; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2025-08-01&host_type=src&vulnerability=cve-2023-43177; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2025-08-03&host_type=src&vulnerability=cve-2023-43177; https://dashboard.shadowserver.org/statistics/honeypot/vulnerabi
Suricata
ET WEB_SPECIFIC_APPS Possible CrushFTP as2-to Anonymous User Rename Attempt (CVE-2023-43177)
suricata·2023-11-20·CVSS 9.8
CVE-2023-43177 [CRITICAL] ET WEB_SPECIFIC_APPS Possible CrushFTP as2-to Anonymous User Rename Attempt (CVE-2023-43177)
ET WEB_SPECIFIC_APPS Possible CrushFTP as2-to Anonymous User Rename Attempt (CVE-2023-43177)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Possible CrushFTP as2-to Anonymous User Rename Attempt (CVE-2023-43177)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/WebInterface/"; http.header; content:"as2-to|3a 20|"; nocase; http.cookie; content:"CrushAuth|3d|"; startswith; fast_pattern; reference:cve,2023-43177; reference:url,convergetp.com/2023/11/16/crushftp-zero-day-cve-2023-43177-discovered/; classtype:attempted-user; sid:2049265; rev:1; metadata:attack_target FTP_Server, created_at 2023_11_20, cve CVE_2023_43177, deployment Perimeter, deployment Internet, performance_impact Low, confidence Low, signature_severity Major, updated_at 2023
Metasploit
CrushFTP Unauthenticated RCE
metasploit·CVSS 9.8
CVE-2023-43177 [CRITICAL] CrushFTP Unauthenticated RCE
CrushFTP Unauthenticated RCE
This exploit module leverages an Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability (CVE-2023-43177) to achieve unauthenticated remote code execution. This affects CrushFTP versions prior to 10.5.1. It is possible to set some user's session properties by sending an HTTP request with specially crafted Header key-value pairs. This enables an unauthenticated attacker to access files anywhere on the server file system and steal the session cookies of valid authenticated users. The attack consists in hijacking a user's session and escalates privileges to obtain full control of the target. Remote code execution is obtained by abusing the dynamic SQL driver loading and configuration testing feature.
Nuclei
CrushFTP < 10.5.1 - Unauthenticated Remote Code Execution
nuclei·CVSS 9.8
CVE-2023-43177 [CRITICAL] CrushFTP < 10.5.1 - Unauthenticated Remote Code Execution
CrushFTP < 10.5.1 - Unauthenticated Remote Code Execution
CrushFTP prior to 10.5.1 is vulnerable to Improperly Controlled Modification of Dynamically-Determined Object Attributes.
Template:
id: CVE-2023-43177
info:
name: CrushFTP < 10.5.1 - Unauthenticated Remote Code Execution
author: iamnoooob,rootxharsh,pdresearch
severity: critical
description: |
CrushFTP prior to 10.5.1 is vulnerable to Improperly Controlled Modification of Dynamically-Determined Object Attributes.
impact: |
Unauthenticated attackers can manipulate dynamically-determined object attributes to create arbitrary files in the web interface directory, potentially achieving remote code execution and compromising the entire CrushFTP file transfer server.
remediation: |
Update CrushFTP to version 10.5.1 or later that prope
Bleepingcomputer
Critical auth bypass bug in CrushFTP now exploited in attacks
blogs_bleepingcomputer·2025-04-01·CVSS 9.8
CVE-2025-2825 [CRITICAL] Critical auth bypass bug in CrushFTP now exploited in attacks
## Critical auth bypass bug in CrushFTP now exploited in attacks
## Sergiu Gatlan
Attackers are now targeting a critical authentication bypass vulnerability in the CrushFTP file transfer software using exploits based on publicly available proof-of-concept code.
The security vulnerability ( CVE-2025-2825 ) was discovered and reported by Outpost24 (which identifies it as CVE-2025-31161 ), and it allows remote attackers to gain unauthenticated access to devices running unpatched CrushFTP v10 or v11 software.
"Please take immediate action to patch ASAP. The bottom line of this vulnerability is that an exposed HTTP(S) port could lead to unauthenticated access," CrushFTP warned in an email sent to customers on Friday, March 21, when it released patches to address the security flaw.
As a wor
Bleepingcomputer
Over 1,400 CrushFTP servers vulnerable to actively exploited bug
blogs_bleepingcomputer·2024-04-25·CVSS 9.8
CVE-2024-4040 [CRITICAL] Over 1,400 CrushFTP servers vulnerable to actively exploited bug
## Over 1,400 CrushFTP servers vulnerable to actively exploited bug
## Sergiu Gatlan
Over 1,400 CrushFTP servers exposed online were found vulnerable to attacks currently targeting a critical severity server-side template injection (SSTI) vulnerability previously exploited as a zero-day.
While CrushFTP describes CVE-2024-4040 as a VFS sandbox escape in its managed file transfer software that enables arbitrary file reading, unauthenticated attackers can use it to gain remote code execution (RCE) on unpatched systems.
The company warned customers on Friday to "update immediately" to block attacker attempts to escape the user's virtual file system (VFS) and download system files.
On Tuesday, Rapid7's vulnerability research team confirmed the security flaw's severity, saying it was "full
Bleepingcomputer
CrushFTP warns users to patch exploited zero-day “immediately”
blogs_bleepingcomputer·2024-04-19·CVSS 9.8
CVE-2024-4040 [CRITICAL] CrushFTP warns users to patch exploited zero-day “immediately”
## CrushFTP warns users to patch exploited zero-day “immediately”
## Sergiu Gatlan
Update April 22, 16:31 EDT: This CrushFTP VFS sandbox escape vulnerability is now tracked as CVE-2024-4040 .
CrushFTP warned customers today in a private memo of an actively exploited zero-day vulnerability fixed in new versions released today, urging them to patch their servers immediately.
As the company also explains in a public security advisory published on Friday, this zero-day bug enables unauthenticated attackers to escape the user's virtual file system (VFS) and download system files.
However, those using a DMZ (demilitarized zone) perimeter network in front of their main CrushFTP instance are protected against attacks.
"Please take immediate action to patch ASAP. A vulnerability was reported
Bleepingcomputer
Exploit for CrushFTP RCE chain released, patch now
blogs_bleepingcomputer·2023-11-18·CVSS 9.8
CVE-2023-43177 [CRITICAL] Exploit for CrushFTP RCE chain released, patch now
## Exploit for CrushFTP RCE chain released, patch now
## Bill Toulas
A proof-of-concept exploit was publicly released for a critical remote code execution vulnerability in the CrushFTP enterprise suite, allowing unauthenticated attackers to access files on the server, execute code, and obtain plain-text passwords.
The vulnerability was discovered in August 2023, tracked as CVE-2023-43177, by Converge security researchers, who responsibly reported it to the vendor. The developers released a fix overnight in version CrushFTP 10.5.2.
Today, Converge published a proof-of-concept exploit for the CVE-2023-43177 flaw, making it critical for CrushFTP users to install the security updates as soon as possible.
## Exploiting CrushFTP
The CrushFTP exploit is conducted through an unauthenticated
Greynoiseio
Storm⚡️Watch
blogs_greynoiseio·CVSS 9.8
[CRITICAL] Storm⚡️Watch
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
https://convergetp.com/2023/11/16/crushftp-zero-day-cve-2023-43177-discovered/https://github.com/the-emmons/CVE-Disclosures/blob/main/Pending/CrushFTP-2023-1.mdhttps://convergetp.com/2023/11/16/crushftp-zero-day-cve-2023-43177-discovered/https://github.com/the-emmons/CVE-Disclosures/blob/main/Pending/CrushFTP-2023-1.md
2023-11-18
Published
Exploited in the wild