Skip to the content.

DIVD-2024-00003 - Unauthenticaded Remote Code Execution in CrushFTP

Our reference DIVD-2024-00003
Case lead Alwin Warringa
Researcher(s)
CVE(s)
Products
  • CrushFTP
Versions all versions prior to 10.5.1
Recommendation Upgrade to patched versions stated on CrushFTP website
Patch status Patch available
Workaround Restrict access to the webinterface of CrushFTP.
Status Open
Last modified 10 Apr 2024 21:52

Summary

CVE-2023-43177 is a critical vulnerability in CrushFTP. The vulnerability could potentially allow unauthenticated attackers with network access to the CrushFTP Instance to write files in the local file system and eventually in some versions could allow the executing of arbitrary system commands.

Recommendations

CrushFTP recommends users to update their CrushFTP software to version 10.5.1 or later as soon as possible.

What we are doing

DIVD has identified vulnerable systems and will notify owners of vulnerable systems. DIVD is also informing trusted information sharing partners for targeted notifications.

Timeline

Date Description
13 Dec 2023 DIVD receives signals about a vulnerability in CrushFTP and starts fingerprinting.
15 Jan 2024 DIVD identified vulnerable devices
24 Jan 2024 Case opened, first version of this casefile.
gantt title DIVD-2024-00003 - Unauthenticaded Remote Code Execution in CrushFTP dateFormat YYYY-MM-DD axisFormat %e %b %Y section Case DIVD-2024-00003 - Unauthenticaded Remote Code Execution in CrushFTP (still open) :2023-12-13, 2024-04-30 section Events DIVD receives signals about a vulnerability in CrushFTP and starts fingerprinting. : milestone, 2023-12-13, 0d DIVD identified vulnerable devices : milestone, 2024-01-15, 0d Case opened, first version of this casefile. : milestone, 2024-01-24, 0d

More information