cbcvebase.
CVE-2024-4040
published 2024-04-22

CVE-2024-4040: A server side template injection vulnerability in CrushFTP in all versions before 10.7.1 and 11.1.0 on all platforms allows unauthenticated remote attackers to…

PriorityP1100critical10CVSS 3.1
AVNACLPRNUINSCCHIHAH
KEVITWEXPLOITRansomwareInitial access
CISA Known Exploited Vulnerabilitydue 2024-05-01
Exploited in the wild
EPSS
99.54%
99.9th percentile
A server side template injection vulnerability in CrushFTP in all versions before 10.7.1 and 11.1.0 on all platforms allows unauthenticated remote attackers to read files from the filesystem outside of the VFS Sandbox, bypass authentication to gain administrative access, and perform remote code execution on the server.

Affected

4 ranges
VendorProductVersion rangeFixed in
crushftpcrushftp>= 10.0 < 10.7.110.7.1
crushftpcrushftp>= 10.0.0 < 10.7.110.7.1
crushftpcrushftp>= 11.0 < 11.1.011.1.0
crushftpcrushftp>= 11.0.0 < 11.1.011.1.0

Detection & IOCsextracted from sources · hover to see the quote

  • CVE-2024-4040 is a server-side template injection (SSTI) vulnerability enabling VFS sandbox escape; detection should focus on unauthenticated requests to the CrushFTP WebInterface that attempt to read files outside the VFS sandbox
  • The vulnerability is fully unauthenticated and trivially exploitable via the CrushFTP WebInterface HTTP(S) port; monitor for unauthenticated file read attempts as root and unexpected admin session creation
  • Any unauthenticated or authenticated user via the WebInterface could retrieve system files not part of their VFS; alert on HTTP requests from unauthenticated sessions accessing paths outside the configured VFS root
  • Exploitation was observed in targeted attacks against multiple U.S. organizations in an intelligence-gathering campaign; treat CrushFTP WebInterface exposure as high-priority for threat hunting
  • Shadowserver identified 1,401 unpatched CrushFTP instances; prioritize scanning for CrushFTP versions prior to 10.7.1 and 11.1.0 on internet-exposed hosts
  • ·Instances protected by a DMZ (demilitarized zone) perimeter network in front of the main CrushFTP instance are protected against attacks exploiting this vulnerability
  • ·CrushFTP v9.x is also affected; customers still running v9 should upgrade to v11 or update via the dashboard immediately

CVSS provenance

nvdv3.110.0CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
vulncheck9.8CRITICAL
cisa10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.