DIVD-2024-00003 - Unauthenticaded Remote Code Execution in CrushFTP
| Our reference | DIVD-2024-00003 |
| Case lead | Alwin Warringa |
| Researcher(s) | |
| CVE(s) | |
| Products |
|
| Versions | all versions prior to 10.5.1 |
| Recommendation | Upgrade to patched versions stated on CrushFTP website |
| Patch status | Patch available |
| Workaround | Restrict access to the webinterface of CrushFTP. |
| Status | Open |
| Last modified | 10 Apr 2024 21:52 |
Summary
CVE-2023-43177 is a critical vulnerability in CrushFTP. The vulnerability could potentially allow unauthenticated attackers with network access to the CrushFTP Instance to write files in the local file system and eventually in some versions could allow the executing of arbitrary system commands.
Recommendations
CrushFTP recommends users to update their CrushFTP software to version 10.5.1 or later as soon as possible.
What we are doing
DIVD has identified vulnerable systems and will notify owners of vulnerable systems. DIVD is also informing trusted information sharing partners for targeted notifications.
Timeline
| Date | Description |
|---|---|
| 13 Dec 2023 | DIVD receives signals about a vulnerability in CrushFTP and starts fingerprinting. |
| 15 Jan 2024 | DIVD identified vulnerable devices |
| 24 Jan 2024 | Case opened, first version of this casefile. |
gantt
title DIVD-2024-00003 - Unauthenticaded Remote Code Execution in CrushFTP
dateFormat YYYY-MM-DD
axisFormat %e %b %Y
section Case
DIVD-2024-00003 - Unauthenticaded Remote Code Execution in CrushFTP (still open) :2023-12-13, 2024-05-02
section Events
DIVD receives signals about a vulnerability in CrushFTP and starts fingerprinting. : milestone, 2023-12-13, 0d
DIVD identified vulnerable devices : milestone, 2024-01-15, 0d
Case opened, first version of this casefile. : milestone, 2024-01-24, 0d