Uncovered Zero-Day Vulnerability in CrushFTP, Caused by Security Flaw CVE-2024-4040
In a significant development for cybersecurity, CrushFTP, a popular file server software that supports standard secure file transfer protocols, has disclosed a zero-day vulnerability on April 19, 2024. This vulnerability, designated as CVE-2024-4040, poses a serious threat as it leads to unauthenticated remote code execution.
The vulnerability, known as the CrushFTP VFS Sandbox Escape Vulnerability, allows attackers to read sensitive files and, worse still, bypass the VFS sandbox and access files outside their designated limits without authentication. This could potentially compromise the security of organizations and institutions using CrushFTP server software with virtual file system (VFS) sandbox features.
The vulnerability has been given a CVSS score of 9.8, indicating its high severity. This score is a standard for evaluating the severity of cybersecurity threats, with 9.8 being one of the highest scores, signifying an extremely critical vulnerability.
In response to this threat, CrushFTP has advised customers to upgrade to version 11.1.0, version 10.7.1, or a later version to remediate this vulnerability. The update information can be found at https://www.crushftp.com/crush11wiki/Wiki.jsp?page=Update.
Additionally, Qualys, a leading provider of cloud-based security and compliance solutions, has released QID 150884 to detect the CrushFTP VFS Sandbox Escape Vulnerability (CVE-2024-4040) on April 25th. The number of detections for this vulnerability will increase in the Qualys dashboard under the Severity of '4'.
The vulnerability affects versions 9.x, before 10.7.1, and 11.1.0 of CrushFTP. It's important to note that CrushFTP is a versatile tool, allowing organizations to configure with customizations using WebInterface and providing monitoring capabilities.
In a further effort to address this issue, the Cybersecurity and Infrastructure Security Agency (CISA) added the vulnerability to the KEV Catalog on April 24, 2024. This move underscores the seriousness of the threat and the need for prompt action by CrushFTP users.
In light of these developments, it's crucial for organizations using CrushFTP server software to take immediate action and upgrade to the latest versions to safeguard their sensitive data and maintain the integrity of their systems.
