CrushFTP Zero-Day Patched: Update Now (v11.1.0)
Users of the CrushFTP file transfer software are strongly advised to upgrade to the latest version following the discovery of a vulnerability that has been subject to targeted exploitation.
CrushFTP has issued a warning regarding a zero-day vulnerability present in CrushFTP versions v11 to 11.1. The issue allowed users to bypass the Virtual File System (VFS) and download system files. This vulnerability has been addressed in version 11.1.0.
Organizations utilizing CrushFTP within demilitarized zones (DMZs) may be shielded from such attacks. However, other users are urged to promptly install the update.
The vulnerability was identified by Simon Garrel of Airbus CERT, but it has not yet been assigned an official CVE identifier.
According to CrowdStrike, there have already been instances of this flaw being exploited against American organizations, with indications that the attackers’ motivations are politically driven.
CrushFTP confirmed that the company responded swiftly to the issue, implementing a fix within hours of being notified. All CrushFTP v10 versions are now secured with update 10.7.1, and v11 versions with update 11.1. Users of the older v9 version can receive updates through the extended support program.