More than 1,400 CrushFTP managed file transfer software instances remain vulnerable to a recently disclosed zero-day, according to data from the Shadowserver Foundation shows.
Tracked as CVE-2024-4040 (CVSS score of 9.8), the critical-severity bug is described as a server-side template injection that allows remote attackers to escape the virtual file system (VFS) sandbox, gain administrative privileges, and execute arbitrary code.
CrushFTP disclosed the flaw on April 19, warning customers of in-the-wild exploitation and urging them to upgrade to version 10.71 or 11.1.0, which address it. CrushFTP versions 9, 10, and 11 are affected.
On April 22, one day before Simon Garrelou of Airbus CERT, who was credited for discovering CVE-2024-4040, published proof-of-concept (PoC) code targeting the bug, CrushFTP updated its advisory to warn that using a DMZ in front of the application is no longer considered a protection option and that migrating to a patched version is essential.
On April 24, the US cybersecurity agency CISA added the security defect to its Known Exploited Vulnerabilities (KEV) catalog, setting deadlines for federal agencies to identify vulnerable hosts within their environments and patch them by May 1.
While details on the observed attacks are scarce, CrowdStrike warned a week ago that threat actors had been exploiting it in a targeted fashion, mainly against entities in the United States.
The concentration of attacks in the US is not surprising. Censys says that half of the roughly 5,000 hosts running CrushFTP servers are in the US, while Tenable claims there might be over 7,100 publicly accessible CrushFTP servers, with 2,900 of them in the US.
On Thursday, the Shadowserver Foundation said that more than 1,400 publicly accessible CrushFTP installations were likely impacted by the exploited vulnerability. Of these, over 700 are in the US.
CrushFTP customers are advised to update to a patched version of the enterprise file transfer application as soon as possible. Not only is CVE-2024-4040 under active exploitation, but, according to Rapid7, “it is fully unauthenticated and trivially exploitable.”
“Successful exploitation allows for not only arbitrary file read as root, but also authentication bypass for administrator account access and full remote code execution. Successful exploitation allows a remote, unauthenticated attacker to access and potentially exfiltrate all files stored on the CrushFTP instance,” Rapid7 explains.
The cybersecurity firm also notes that detecting exploitation attempts is difficult because payloads for this bug can be delivered in multiple forms and logs and request histories can be manipulated to remove evidence of attacks. Furthermore, even CrushFTP instanced behind a standard reverse proxy may be targeted.
Related: Thousands of Palo Alto Firewalls Impacted by Exploited Zero-Day
Related: Critical WordPress Automatic Plugin Flaw Exploited to Inject Backdoors
Related: Magento Vulnerability Exploited to Deploy Persistent Backdoor
