CVE-2024-4040
published 2024-04-22CVE-2024-4040: A server side template injection vulnerability in CrushFTP in all versions before 10.7.1 and 11.1.0 on all platforms allows unauthenticated remote attackers to…
PriorityP1100critical10CVSS 3.1
AVNACLPRNUINSCCHIHAH
KEVITWEXPLOITRansomwareInitial access
CISA Known Exploited Vulnerabilitydue 2024-05-01
Exploited in the wild
EPSS
99.54%
99.9th percentile
A server side template injection vulnerability in CrushFTP in all versions before 10.7.1 and 11.1.0 on all platforms allows unauthenticated remote attackers to read files from the filesystem outside of the VFS Sandbox, bypass authentication to gain administrative access, and perform remote code execution on the server.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| crushftp | crushftp | >= 10.0 < 10.7.1 | 10.7.1 |
| crushftp | crushftp | >= 10.0.0 < 10.7.1 | 10.7.1 |
| crushftp | crushftp | >= 11.0 < 11.1.0 | 11.1.0 |
| crushftp | crushftp | >= 11.0.0 < 11.1.0 | 11.1.0 |
Detection & IOCsextracted from sources · hover to see the quote
- →CVE-2024-4040 is a server-side template injection (SSTI) vulnerability enabling VFS sandbox escape; detection should focus on unauthenticated requests to the CrushFTP WebInterface that attempt to read files outside the VFS sandbox ↗
- →The vulnerability is fully unauthenticated and trivially exploitable via the CrushFTP WebInterface HTTP(S) port; monitor for unauthenticated file read attempts as root and unexpected admin session creation ↗
- →Any unauthenticated or authenticated user via the WebInterface could retrieve system files not part of their VFS; alert on HTTP requests from unauthenticated sessions accessing paths outside the configured VFS root ↗
- →Exploitation was observed in targeted attacks against multiple U.S. organizations in an intelligence-gathering campaign; treat CrushFTP WebInterface exposure as high-priority for threat hunting ↗
- →Shadowserver identified 1,401 unpatched CrushFTP instances; prioritize scanning for CrushFTP versions prior to 10.7.1 and 11.1.0 on internet-exposed hosts ↗
- ·Instances protected by a DMZ (demilitarized zone) perimeter network in front of the main CrushFTP instance are protected against attacks exploiting this vulnerability ↗
- ·CrushFTP v9.x is also affected; customers still running v9 should upgrade to v11 or update via the dashboard immediately ↗
CVSS provenance
nvdv3.110.0CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
vulncheck9.8CRITICAL
cisa10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-46vf-c8gj-2pgq: VFS Sandbox Escape in CrushFTP in all versions before 10
ghsa_unreviewed·2024-04-22
CVE-2024-4040 [HIGH] CWE-1336 GHSA-46vf-c8gj-2pgq: VFS Sandbox Escape in CrushFTP in all versions before 10
VFS Sandbox Escape in CrushFTP in all versions before 10.7.1 and 11.1.0 on all platforms allows remote attackers with low privileges to read files from the filesystem outside of VFS Sandbox.
VulnCheck
CrushFTP VFS Sandbox Escape Vulnerability
vulncheck·2024·CVSS 9.8
CVE-2024-4040 [CRITICAL] CWE-1336 CrushFTP VFS Sandbox Escape Vulnerability
CrushFTP VFS Sandbox Escape Vulnerability
CrushFTP contains an unspecified sandbox escape vulnerability that allows a remote attacker to escape the CrushFTP virtual file system (VFS).
Affected: CrushFTP CrushFTP
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Known Ransomware Campaign Use: Known
Exploitation References: https://www.reddit.com/r/crowdstrike/comments/1c88788/situational_awareness_20240419_crushftp_virtual/; https://www.rapid7.com/blog/post/2024/04/23/etr-unauthenticated-crushftp-zero-day-enables-complete-server-compromise/; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-05-14
CISA
CrushFTP VFS Sandbox Escape Vulnerability
cisa·2024-04-24·CVSS 10.0
CVE-2024-4040 [CRITICAL] CWE-1336 CrushFTP VFS Sandbox Escape Vulnerability
Vulnerability: CrushFTP VFS Sandbox Escape Vulnerability
Affected: CrushFTP CrushFTP
CrushFTP contains an unspecified sandbox escape vulnerability that allows a remote attacker to escape the CrushFTP virtual file system (VFS).
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Notes: https://www.crushftp.com/crush11wiki/Wiki.jsp?page=Update&version=34; https://nvd.nist.gov/vuln/detail/CVE-2024-4040
Remediation Due Date: 2024-05-01
Suricata
ET WEB_SPECIFIC_APPS CrushFTP working_dir Template Injection Attempt (CVE-2024-4040)
suricata·2024-04-26·CVSS 9.8
CVE-2024-4040 [CRITICAL] ET WEB_SPECIFIC_APPS CrushFTP working_dir Template Injection Attempt (CVE-2024-4040)
ET WEB_SPECIFIC_APPS CrushFTP working_dir Template Injection Attempt (CVE-2024-4040)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS CrushFTP working_dir Template Injection Attempt (CVE-2024-4040)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/WebInterface/function/?command|3d|"; fast_pattern; startswith; content:"c2f|3d|"; content:"path|3d 7b|working_dir|7d|"; content:"names|3d|"; http.cookie; content:"CrushAuth|3d|"; content:"c2f|3d|"; distance:0; reference:cve,2024-4040; reference:url,attackerkb.com/topics/20oYjlmfXa/cve-2024-4040/rapid7-analysis; classtype:attempted-recon; sid:2052277; rev:1; metadata:affected_product CrushFTP, attack_target FTP_Server, tls_state TLSDecrypt, created_at 2024_04_26, cve CVE_2024_4040, deployment Perim
Suricata
ET WEB_SPECIFIC_APPS CrushFTP Arbitrary File Read Attempt (CVE-2024-4040)
suricata·2024-04-26·CVSS 9.8
CVE-2024-4040 [CRITICAL] ET WEB_SPECIFIC_APPS CrushFTP Arbitrary File Read Attempt (CVE-2024-4040)
ET WEB_SPECIFIC_APPS CrushFTP Arbitrary File Read Attempt (CVE-2024-4040)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS CrushFTP Arbitrary File Read Attempt (CVE-2024-4040)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/WebInterface/function/?command|3d|"; fast_pattern; startswith; content:"c2f|3d|"; content:"path|3d 3c|INCLUDE|3e 2f|"; content:"names|3d|"; http.cookie; content:"CrushAuth|3d|"; content:"c2f|3d|"; distance:0; reference:cve,2024-4040; reference:url,attackerkb.com/topics/20oYjlmfXa/cve-2024-4040/rapid7-analysis; classtype:web-application-attack; sid:2052276; rev:1; metadata:affected_product CrushFTP, attack_target FTP_Server, tls_state TLSDecrypt, created_at 2024_04_26, cve CVE_2024_4040, deployment Perimeter, deployment
Nuclei
CrushFTP VFS - Sandbox Escape LFR
nuclei·CVSS 10.0
CVE-2024-4040 [CRITICAL] CrushFTP VFS - Sandbox Escape LFR
CrushFTP VFS - Sandbox Escape LFR
VFS Sandbox Escape in CrushFTP in all versions before 10.7.1 and 11.1.0 on all platforms allows remote attackers with low privileges to read files from the filesystem outside of VFS Sandbox.
Template:
id: CVE-2024-4040
info:
name: CrushFTP VFS - Sandbox Escape LFR
author: DhiyaneshDK,pussycat0x
severity: critical
description: |
VFS Sandbox Escape in CrushFTP in all versions before 10.7.1 and 11.1.0 on all platforms allows remote attackers with low privileges to read files from the filesystem outside of VFS Sandbox.
impact: |
Successful exploitation could lead to unauthorized access to sensitive data.
remediation: |
Apply the vendor-supplied patch or upgrade to the latest version to mitigate CVE-2024-4040.
reference:
- https://www.bleepingcomputer.com/n
Metasploit
CrushFTP Unauthenticated Arbitrary File Read
metasploit
CrushFTP Unauthenticated Arbitrary File Read
CrushFTP Unauthenticated Arbitrary File Read
This module leverages an unauthenticated server-side template injection vulnerability in CrushFTP < 10.7.1 and < 11.1.0 (as well as legacy 9.x versions). Attackers can submit template injection payloads to the web API without authentication. When attacker payloads are reflected in the server's responses, the payloads are evaluated. The primary impact of the injection is arbitrary file read as root, which can result in authentication bypass, remote code execution, and NetNTLMv2 theft (when the host OS is Windows and SMB egress traffic is permitted).
Bleepingcomputer
Over 1,000 CrushFTP servers exposed to ongoing hijack attacks
blogs_bleepingcomputer·2025-07-21·CVSS 9.0
CVE-2025-54309 [CRITICAL] Over 1,000 CrushFTP servers exposed to ongoing hijack attacks
## Over 1,000 CrushFTP servers exposed to ongoing hijack attacks
## Sergiu Gatlan
Over 1,000 CrushFTP instances currently exposed online are vulnerable to hijack attacks that exploit a critical security bug, providing admin access to the web interface.
The security vulnerability ( CVE-2025-54309 ) is due to mishandled AS2 validation and impacts all CrushFTP versions below 10.8.5 and 11.3.4_23. The vendor tagged the flaw as actively exploited in the wild on July 19th, noting that attacks may have begun earlier, although it has yet to find evidence to confirm this.
"July 18th, 9AM CST there is a 0-day exploit seen in the wild. Possibly it has been going on for longer, but we saw it then. Hackers apparently reverse engineered our code and found some bug which we had already fixed," reads
Tenable
CVE-2025-54309: CrushFTP Zero-Day Vulnerability Exploited In The Wild
blogs_tenable·2025-07-18·CVSS 9.0
[CRITICAL] CVE-2025-54309: CrushFTP Zero-Day Vulnerability Exploited In The Wild
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Bleepingcomputer
Critical auth bypass bug in CrushFTP now exploited in attacks
blogs_bleepingcomputer·2025-04-01·CVSS 9.8
CVE-2025-2825 [CRITICAL] Critical auth bypass bug in CrushFTP now exploited in attacks
## Critical auth bypass bug in CrushFTP now exploited in attacks
## Sergiu Gatlan
Attackers are now targeting a critical authentication bypass vulnerability in the CrushFTP file transfer software using exploits based on publicly available proof-of-concept code.
The security vulnerability ( CVE-2025-2825 ) was discovered and reported by Outpost24 (which identifies it as CVE-2025-31161 ), and it allows remote attackers to gain unauthenticated access to devices running unpatched CrushFTP v10 or v11 software.
"Please take immediate action to patch ASAP. The bottom line of this vulnerability is that an exposed HTTP(S) port could lead to unauthenticated access," CrushFTP warned in an email sent to customers on Friday, March 21, when it released patches to address the security flaw.
As a wor
Wiz
Crying Out Cloud - May 2024 Newsletter | Wiz
blogs_wiz·2024-05-06·CVSS 10.0
[CRITICAL] Crying Out Cloud - May 2024 Newsletter | Wiz
Welcome back! In this edition, we bring you the latest in cloud security – noteworthy incidents, exclusive data, and crucial vulnerabilities. Let's dive in.
Here are our top picks of cloud security highlights!
## 🔎 Highlights
Architecture Risks that May Compromise AI-as-a-Service Providers
Wiz research recently performed a security audit of Hugging Face and discovered several security issues that would have allowed an actor running a specially-crafted malicious model on Hugging Face's infrastructure to achieve remote code execution and cross-tenant access to other customers' spaces or models. All these issues were remediated by Hugging Face and no customer action is required.
Learn more in our blog .
## 🐞 High Profile Vulnerabilities
DoS Vulnerability in HTTP/2 CONTINUATION Frames
Qualys
CrushFTP Server Zero-Day Exploit Enables Full Server Compromise | Qualys
blogs_qualys·2024-04-30·CVSS 9.8
CVE-2024-4040 [CRITICAL] CrushFTP Server Zero-Day Exploit Enables Full Server Compromise | Qualys
#### Table of Contents
- Vulnerability Scope & Details
- About the Vendor
- Detecting the Vulnerability with Qualys WAS
- Solution
- Credits
## Vulnerability Scope & Details
CrushFTP disclosed a zero-day vulnerability in their software on April 19, 2024. The vulnerability is published on CVE-2024-4040.
Affected versions:
- 9.x versions
- before 10.7.1
- 11.1.0
The CVSS score is 9.8.
The vulnerability allows remote attackers to bypass the VFS sandbox and access files outside their designated limits without authentication. The vulnerability was exploited to do unauthenticated remote code execution which resulted in attackers being able to read sensitive files.
CISA added the vulnerability to the KEV Catalog on April 24, 2024.
## About the Vendor
CrushFTP is a file server supporting
Qualys
CrushFTP Zero-Day Exploitation Due to CVE-2024-4040
blogs_qualys·2024-04-30·CVSS 9.8
CVE-2024-4040 [CRITICAL] CrushFTP Zero-Day Exploitation Due to CVE-2024-4040
## Table of Contents
Vulnerability Scope & Details
About the Vendor
Detecting the Vulnerability with Qualys WAS
Solution
Credits
## Vulnerability Scope & Details
CrushFTP disclosed a zero-day vulnerability in their software on April 19, 2024. The vulnerability is published on CVE-2024-4040.
Affected versions:
9.x versions
before 10.7.1
11.1.0
The CVSS score is 9.8.
The vulnerability allows remote attackers to bypass the VFS sandbox and access files outside their designated limits without authentication. The vulnerability was exploited to do unauthenticated remote code execution which resulted in attackers being able to read sensitive files.
CISA added the vulnerability to the KEV Catalog on April 24, 2024.
## About the Vendor
CrushFTP is a file server supporting standard se
Checkpoint
29th April – Threat Intelligence Report
blogs_checkpoint·2024-04-29
CVE-2024-4040 29th April – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 29th April – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 29th April, please download our Threat_Intelligence Bulletin .
TOP ATTACKS AND BREACHES
Germany has revealed a sophisticated state-sponsored hacking campaign targeting Volkswagen, orchestrated by Chinese hackers since 2010. The attackers successfully infiltrated VW’s networks multiple times, extracting thousands of documents critical to automotive technology, including electric and hydrogen vehicle innovations.
Bleepingcomputer
Over 1,400 CrushFTP servers vulnerable to actively exploited bug
blogs_bleepingcomputer·2024-04-25·CVSS 9.8
CVE-2024-4040 [CRITICAL] Over 1,400 CrushFTP servers vulnerable to actively exploited bug
## Over 1,400 CrushFTP servers vulnerable to actively exploited bug
## Sergiu Gatlan
Over 1,400 CrushFTP servers exposed online were found vulnerable to attacks currently targeting a critical severity server-side template injection (SSTI) vulnerability previously exploited as a zero-day.
While CrushFTP describes CVE-2024-4040 as a VFS sandbox escape in its managed file transfer software that enables arbitrary file reading, unauthenticated attackers can use it to gain remote code execution (RCE) on unpatched systems.
The company warned customers on Friday to "update immediately" to block attacker attempts to escape the user's virtual file system (VFS) and download system files.
On Tuesday, Rapid7's vulnerability research team confirmed the security flaw's severity, saying it was "full
Wiz
CrushFTP vulnerability CVE-2024-4040: what you need to know | Wiz Blog
blogs_wiz·2024-04-24·CVSS 9.8
CVE-2024-4040 [CRITICAL] CrushFTP vulnerability CVE-2024-4040: what you need to know | Wiz Blog
On April 19, 2024, CrushFTP, a managed file transfer vendor disclosed a 0day vulnerability in several versions of its software through a private mailing list. This severe vulnerability, identified as CVE-2024-4040 with a CVSS score of 9.8, was discovered by Simon Garrelou and assigned by a third-party CNA (DirectCyber) on April 22. The vulnerability affects versions prior to `10.7.1` and `11.1.0`, including older `9.x` versions. Initially and temporarily identified by Wiz as CVE-WIZ-003 before the official CVE assignment, CrushFTP described the vulnerability as one allowing remote attackers with limited privileges to bypass the VFS sandbox and access files outside their designated limits. However, researchers have since been able to exploit the vulnerability to achieve unauthenticated remo
Wiz
CrushFTP vulnerability CVE-2024-4040: what you need to know | Wiz Blog
blogs_wiz·2024-04-24·CVSS 9.8
CVE-2024-4040 [CRITICAL] CrushFTP vulnerability CVE-2024-4040: what you need to know | Wiz Blog
10.7.1
11.1.0
9.x
## What is CVE-2024-4040?
The public advisory from CrushFTP describes CVE-2024-4040 as a VFS sandbox escape that permits low-privileged remote attackers to read files beyond the intended limits of the VFS Sandbox in its file transfer software. Researchers further analyzed the vulnerability and concluded that it can be exploited without authentication and with minimal technical effort, allowing attackers not only to read files at the root level but also to bypass authentication mechanisms for administrator accounts and execute code remotely. Although officially recorded as an arbitrary file read, the vulnerability might be more accurately termed as a server-side template injection (SSTI). The vulnerability has also been observed being exploited in the wild by threat ac
Tenable
CVE-2024-4040: CrushFTP Virtual File System (VFS) Sandbox Escape Vulnerability Exploited
blogs_tenable·2024-04-23·CVSS 9.8
[CRITICAL] CVE-2024-4040: CrushFTP Virtual File System (VFS) Sandbox Escape Vulnerability Exploited
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Bleepingcomputer
CrushFTP warns users to patch exploited zero-day “immediately”
blogs_bleepingcomputer·2024-04-19·CVSS 9.8
CVE-2024-4040 [CRITICAL] CrushFTP warns users to patch exploited zero-day “immediately”
## CrushFTP warns users to patch exploited zero-day “immediately”
## Sergiu Gatlan
Update April 22, 16:31 EDT: This CrushFTP VFS sandbox escape vulnerability is now tracked as CVE-2024-4040 .
CrushFTP warned customers today in a private memo of an actively exploited zero-day vulnerability fixed in new versions released today, urging them to patch their servers immediately.
As the company also explains in a public security advisory published on Friday, this zero-day bug enables unauthenticated attackers to escape the user's virtual file system (VFS) and download system files.
However, those using a DMZ (demilitarized zone) perimeter network in front of their main CrushFTP instance are protected against attacks.
"Please take immediate action to patch ASAP. A vulnerability was reported
Greynoiseio
Storm⚡️Watch
blogs_greynoiseio
Storm⚡️Watch
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
arXiv
Efficacy of EPSS in High Severity CVEs found in KEV
arxiv_fulltext·2024-11-04
Efficacy of EPSS in High Severity CVEs found in KEV
empty
empty
24pt
10pt plus 1.0pt minus 2.0pt
## Abstract
The Exploit Prediction Scoring System (EPSS) is designed to assess the probability of a vulnerability being exploited in the next 30 days relative to other vulnerabilities. The latest version, based on a research paper published in arXiv , assists defenders in deciding which vulnerabilities to prioritize for remediation. This study evaluates EPSS's ability to predict exploitation before vulnerabilities are actively compromised, focusing on high severity CVEs that are known to have been exploited and included in the CISA KEV catalog. By analyzing EPSS score history, the availability and simplicity of exploits, the system's purpose, its value as a target for Threat Actors (TAs), this paper examines EPSS's potential and identifies ar
https://github.com/airbus-cert/CVE-2024-4040https://www.bleepingcomputer.com/news/security/crushftp-warns-users-to-patch-exploited-zero-day-immediately/https://www.crushftp.com/crush10wiki/Wiki.jsp?page=Updatehttps://www.crushftp.com/crush11wiki/Wiki.jsp?page=Updatehttps://www.rapid7.com/blog/post/2024/04/23/etr-unauthenticated-crushftp-zero-day-enables-complete-server-compromise/https://www.reddit.com/r/crowdstrike/comments/1c88788/situational_awareness_20240419_crushftp_virtual/https://www.reddit.com/r/cybersecurity/comments/1c850i2/all_versions_of_crush_ftp_are_vulnerable/https://github.com/airbus-cert/CVE-2024-4040https://www.bleepingcomputer.com/news/security/crushftp-warns-users-to-patch-exploited-zero-day-immediately/https://www.crushftp.com/crush10wiki/Wiki.jsp?page=Updatehttps://www.crushftp.com/crush11wiki/Wiki.jsp?page=Updatehttps://www.rapid7.com/blog/post/2024/04/23/etr-unauthenticated-crushftp-zero-day-enables-complete-server-compromise/https://www.reddit.com/r/crowdstrike/comments/1c88788/situational_awareness_20240419_crushftp_virtual/https://www.reddit.com/r/cybersecurity/comments/1c850i2/all_versions_of_crush_ftp_are_vulnerable/https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-4040
2024-04-22
Published
2024-04-24
Added to CISA KEV
Exploited in the wild