CrushFTP Discloses Critical Zero-Day Bug

If you use CrushFTP for your file transfers, stop reading this article and patch your system immediately.  

CrushFTP file servers running versions before 10.7.1 and 11.1.0 are vulnerable to a major security bug that has been actively exploited. Some 1400 servers are still currently affected. 

The bug, called CVE-2024-4040 by the National Institute of Standards and Technology (NIST), has been rated a 10/10 for the imminent threat posed to Crush FTP users, and “allows unauthenticated remote attackers to read files from the filesystem outside of the VFS Sandbox, bypass authentication to gain administrative access, and perform remote code execution on the server.”

In short: Organizations that rely on CrushFTP to transfer data can expect to be compromised if they haven’t been already.

This is not the first major security vulnerability discovered on CrushFTP servers; another critical security hole was discovered in November 2023.

FTP servers typically represent a major target of opportunity for threat actors, with typically large archives of potentially sensitive data. The age of FTP as a protocol (53 years) often means that it is less secure than newer versions designed specifically with security in mind. It’s for this reason that Nodal typically recommends our clients avoid running their own file server instances.

Wondering if you’re vulnerable to this or other major zero-day exploits? Not sure which CrushFTP version you may be running? Nodal can help! Contact us today.