DIVD-2024-00003 - Unauthenticaded Remote Code Execution in CrushFTP
| Our reference | DIVD-2024-00003 |
| Case lead | Alwin Warringa |
| Researcher(s) | |
| CVE(s) | |
| Products |
|
| Versions | all versions prior to 10.5.1 |
| Recommendation | Upgrade to patched versions stated on CrushFTP website |
| Patch status | Patch available |
| Workaround | Restrict access to the webinterface of CrushFTP. |
| Status | Closed |
| Last modified | 01 Jun 2024 22:12 CEST |
Summary
CVE-2023-43177 is a critical vulnerability in CrushFTP. The vulnerability could potentially allow unauthenticated attackers with network access to the CrushFTP Instance to write files in the local file system and eventually in some versions could allow the executing of arbitrary system commands.
Recommendations
CrushFTP recommends users to update their CrushFTP software to version 10.5.1 or later as soon as possible.
What we are doing
DIVD has identified vulnerable systems and will notify owners of vulnerable systems. DIVD is also informing trusted information sharing partners for targeted notifications.
Timeline
| Date | Description |
|---|---|
| 13 Dec 2023 | DIVD receives signals about a vulnerability in CrushFTP and starts fingerprinting. |
| 15 Jan 2024 | DIVD identified vulnerable devices |
| 24 Jan 2024 | Case opened, first version of this casefile |
| 17 Apr 2024 | DIVD rescans the internet for vulnerable instances |
| 17 Apr 2024 | DIVD starts notifying network owners with a vulnerable instance for the second time |
| 01 Jun 2024 | Case closed |
gantt
title DIVD-2024-00003 - Unauthenticaded Remote Code Execution in CrushFTP
dateFormat YYYY-MM-DD
axisFormat %e %b %Y
section Case
DIVD-2024-00003 - Unauthenticaded Remote Code Execution in CrushFTP (126 days) :2023-12-13, 2024-04-17
section Events
DIVD receives signals about a vulnerability in CrushFTP and starts fingerprinting. : milestone, 2023-12-13, 0d
DIVD identified vulnerable devices : milestone, 2024-01-15, 0d
Case opened, first version of this casefile : milestone, 2024-01-24, 0d
DIVD rescans the internet for vulnerable instances : milestone, 2024-04-17, 0d
DIVD starts notifying network owners with a vulnerable instance for the second time : milestone, 2024-04-17, 0d
Case closed : milestone, 2024-06-01, 0d