CrushFTP customers have been warned to patch an actively exploited vulnerability that allows attackers to download system files.
In an advisory dated April 19, 2024, the file transfer company said that CrushFTP v11 versions below 11.1 contain the flaw, which enables users to escape their virtual file system (VFS) and download system files.
The vulnerability was reported by Simon Garrelou and has been patched in v11.1.0 of the software, which is available for customers to update via their dashboard.
Customers using a demilitarized zone (DMZ) perimeter network in front of their main CrushFTP instance are protected from attacks.
Anyone using CrushFTP v10, 9 or prior requires a v11 license to download the update.
File Transfer Vulnerability Being Actively Exploited
Cybersecurity vendor CrowdStrike revealed it has observed the zero day flaw being exploited in the wild “in a targeted fashion” in a Reddit post following CrushFTP’s public disclosure.
The firm said customers of its Falcon Insight XDR platform can search for CrushFTP executions in their environment, and could read an intelligence report for additional details on tactics, techniques, objectives and attribution.
The title of the intelligence report suggests that CrushFTP servers have been exploited at multiple US entitles for intelligence gathering activity, which are potentially politically motived.
“CrushFTP users should continue to follow the vendor's website for the most up-to-date instructions and prioritize patching,” CrowdStrike added.
Read here: Learning from File Transfer Software Vendors’ Vulnerability Response
File Transfer Software a Major Target
Exploiting file transfer software is an effective way of compromising many targets at once, as demonstrated in the heavily exploited MOVEit file transfer vulnerability in 2023, which drove a huge volume of ransomware attacks by the notorious Clop gang.
In January 2024, Horizon3 published details of a critical vulnerability in managed file transfer (MFT) software Fortra GoAnywhere MFT, which could allow an attacker to take complete remote control of a customer’s environment and access their network.
Attackers can obtain data directly from the file transfer appliance, without requiring additional lateral movement into target environments.