Critical CrushFTP zero-day vulnerability under attack

3 weeks, 4 days ago searchsecurity.techtarget.com

While a patch is now available, a critical CrushFTP vulnerability came under attack as a zero-day and could allow attackers to exfiltrate all files on the server.

Share this item with your network:

A critical CrushFTP zero-day vulnerability is being exploited in the wild and could allow an attacker to bypass authentication, gain administrative access and perform full remote code execution on the file transfer server.

The managed file transfer vendor publicly disclosed the server side template injection vulnerability, now tracked as CVE-2024-4040, in an advisory on April 19 following a private email notification to customers earlier that day. The zero-day vulnerability affects CrushFTP Virtual File System (VFS) in all versions below 11.1., but the vendor released a patch on April 19 with instructions on how to upgrade to the fixed version. CrushFTP credited Simon Garrelou, security engineer at Airbus CERT, for discovering and reporting the vulnerability.

Airbus CERT ...

Copyright of this story solely belongs to searchsecurity.techtarget.com . To see the full text click HERE

While a patch is now available, a critical CrushFTP vulnerability came under attack as a zero-day and could allow attackers to exfiltrate all files on the server.

Share:

More related news