1,400+ CrushFTP Servers at Risk: Update Now!

Over 1,400 internet-accessible CrushFTP servers are vulnerable to attacks exploiting the critical server vulnerability CVE-2024-4040. This flaw, whose active exploitation was previously reported at the beginning of the week, allows unauthorized attackers to access files and execute remote code on unpatched systems.

CrushFTP has warned its clients of the urgent need to update their software to thwart attempts by malicious actors to bypass the virtual file system (VFS) and download system files.

Researchers from Rapid7 have confirmed that the vulnerability is highly dangerous and can be easily exploited. “Successful exploitation not only allows arbitrary file reading as root but also bypasses authentication for administrator account access and full remote code execution,” the specialists explained.

According to data from Shadowserver, there are over 1,400 vulnerable CrushFTP servers, with the majority located in the USA (725), Germany (115), and Canada (108).

Shodan tracks over 5,200 internet-accessible CrushFTP servers, though it does not specify how many of these are susceptible to attacks.

As previously mentioned, the vulnerability is actively being exploited in targeted attacks and was utilized as a zero-day before an official patch was available. Hackers are also using this breach in politically motivated campaigns to gather intelligence.

CrushFTP users are urged to promptly update their installations to secure versions and to regularly check the manufacturer’s website for the latest instructions to protect against ongoing exploitation attempts.

The United States Cybersecurity and Infrastructure Security Agency (CISA) has also added CVE-2024-4040 to its catalog of known exploited vulnerabilities and has ordered local federal agencies to secure vulnerable servers within a week.