[German]CrushFTP is a proprietary file transfer server with multiple protocols and platforms (macOS, Linux, Windows) that is available as shareware with a tiered pricing model. It is aimed at home users through to corporate users. As of April 19, 2024, the provider has published a security warning that a critical vulnerability (CVE-2024-4040) has been discovered in the software, which is being exploited by attackers.
Advertising
In a security advisory dated April 19, 2024, it states that CrushFTP v11 versions below 11.1 have a vulnerability. The vulnerability (CVE-2024-4040), which is classified as critical, allows users to bypass their VFS (Apache Virtual File System) and download system files. This is of course a lucrative target for hackers who could download files from the VFS.
This vulnerability has been fixed in version 11.1.0. Customers using a DMZ in front of their main CrushFTP instance are partially protected by the protocol translation system used. However, a DMZ does not fully protect and users must update immediately to be safe again, according to the provider.
The company warned customers by email that the vulnerability is being exploited in the wild, as our colleagues at Bleeping Computer write here. Customers with servers still running CrushFTP v9 should update to v11 immediately or update their instance via the dashboard to be protected again, they say.
Advertising
